Changes

19,068 bytes added , 05:48, 22 February 2022

section on input structure and possible explanation for 6-24 error

Line 3: Line 3:

'''/dev/di''' is the [[IOS]] driver used to control the disc drive. This documentation is mostly based on the most recent version (dated Jun 3 2009 07:49:09 and included in [[IOS58]] and [[IOS80]]). Names are based on function names found in Nintendo titles (which print an error message including the name if the Ioctl or Ioctlv fails). DVDLowRequestAudioStatus and DVDLowAudioStream are not found in Wii titles, but the names can be found in [https://wiki.dolphin-emu.org/index.php?title=Ships_with_Debugging_Symbols debug symbols included in various Gamecube games].

+

== Input structure ==

The input to all /dev/di commands (other than enable DVD video) is the following struct, which must be sized 0x20 and aligned 4:

Line 23: Line 24:

(DiIoctl) Note: This is normal for DVD software before 6-24

</pre></blockquote>

+

This probably means IOCTL numbers were created on June 24th of some year.

== Return values ==

Line 76: Line 79:

== Version history ==

−

There are '''10''' known versions of the DI driver found in various [[IOS History|IOS versions]], based on the IOS versions ~~still~~ present on NUS. These are generalized into 5 version families, based on observable behavior (this is not strictly chronological, presumably as Nintendo was working on multiple versions with the same features at the same time). It is quite likely that there are additional changes not noted here.

+

There are '''14''' known normal versions (along with '''9''' [[#vWii note|matching vWii versions]]) of the DI driver found in various [[IOS History|IOS versions]], based on the IOS versions present on NUS and those found on various game discs. These are generalized into 5 version families, based on observable behavior (this is not strictly chronological, presumably as Nintendo was working on multiple versions with the same features at the same time). It is quite likely that there are additional changes not noted here.

The DI driver includes a full set of [[:/dev/es|ES]] IoctlV wrappers, although it only uses ES_DiVerify and ES_DiVerifyWithTicketView. It also includes instructions for all [[syscalls]], even though most are not used. Both of those change across versions, even though those differences do not actually show up in practice.

Line 85: Line 88:

! Version

! <abbr title="Issues 0xE0 when the error interrupt is set before running another command, in addition to clearing the interrupt">0xE0 on error</abbr>

−

! <abbr title="Attempts to write 0xDEADBEEF to kernel memory (0xFFFF0000) on diFatalError, in addition to calling CancelThread and entering an infinite loop. Error message is also '(diFatalError) *** DI FATAL ERROR: %s\nExiting\n' instead of '(diFatalError) Fatal error in DI driver: %s\nExiting\n' to on these versions.">DEADBEEF fatal error</abbr>

+

!class="unsortable"| <abbr title="Attempts to write 0xDEADBEEF to kernel memory (0xFFFF0000) on diFatalError, in addition to calling CancelThread and entering an infinite loop. Error message is also '(diFatalError) *** DI FATAL ERROR: %s\nExiting\n' instead of '(diFatalError) Fatal error in DI driver: %s\nExiting\n' to on these versions.">DEADBEEF fatal error</abbr>

! <abbr title="Out of bounds">OoB</abbr> [[#0x8D DVDLowUnencryptedRead|0x8D]]

! [[#0x90 DVDLowGetNoDiscOpenPartitionParams|0x90]]

−

! [[#0x91 DVDLowNoDiscOpenPartition|0x91]]

+

!class="unsortable"| [[#0x91 DVDLowNoDiscOpenPartition|0x91]]

−

! [[#0x92 DVDLowGetNoDiscBufferSizes|0x92]]

+

!class="unsortable"| [[#0x92 DVDLowGetNoDiscBufferSizes|0x92]]

! [[#0x93 DVDLowOpenPartitionWithTmdAndTicket|0x93]]

−

! [[#0x94 DVDLowOpenPartitionWithTmdAndTicketView|0x94]]

+

!class="unsortable"| [[#0x94 DVDLowOpenPartitionWithTmdAndTicketView|0x94]]

−

! [[#0x95 DVDLowGetStatusRegister|0x95]]

+

!class="unsortable"| [[#0x95 DVDLowGetStatusRegister|0x95]]

! [[#0x96 DVDLowGetControlRegister|0x96]]

! <abbr title="Uses IOSC_CheckDiHashes instead of verifying in DI itself">IOSC</abbr>

! <abbr title="Highest IOS Syscall number">Syscall</abbr>

! <abbr title="Highest /dev/es IoctlV number">ES</abbr>

+

! <abbr title="Present in the latest version of at least one IOS version">Live</abbr>

|-

−

| [[#Group A|A]]

+

|rowspan="4"| [[#Group A|A]]

−

|data-sort-value="~~1160070081~~"| [[#~~Oct 5~~ 2006 17:41:21|~~Oct 5~~ 2006 17:41:21]]

+

|data-sort-value="1155209090"| [[#Aug 10 2006 11:24:50|Aug 10 2006 11:24:50]]

−

| {{~~Yes}}~~

+

|rowspan="2" {{Yes2}} Yes

−

~~| {{No}}~~

+

|rowspan="4" {{No}}

−

~~| {{No~~}}

−

| {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|rowspan="4" {{No}}

+

|data-sort-value="115"| 0x73

+

|data-sort-value="47" | 0x2f

| {{No}}

+

|-

+

|data-sort-value="1155490424"| [[#Aug 13 2006 17:33:44|Aug 13 2006 17:33:44]]

+

|rowspan="3" {{No2}} No

+

|rowspan="3" data-sort-value="116"| 0x74

+

|rowspan="3" data-sort-value="49" | 0x31

| {{No}}

−

~~| {{No}}~~

−

~~| {{No}}~~

−

~~| {{No}}~~

−

~~| {{No}}~~

−

~~| 0x74~~

−

~~| 0x3c~~

|-

−

~~| [[#Group B|B]]~~

+

|data-sort-value="1160070081"| [[#Oct 5 2006 17:41:21|Oct 5 2006 17:41:21]]

−

|data-sort-value="~~1181326629~~"| [[#~~Jun~~ ~~8 2007 18~~:17:09|~~Jun~~ ~~8 2007 18~~:17:09]]

+

|rowspan="2" {{Yes}}

−

| ~~{{Yes}}~~

−

~~| {{No}}~~

−

~~| {{Yes}}~~

−

~~| {{Yes}}~~

−

~~| {{Yes}}~~

−

~~| {{Yes}}~~

−

~~| {{Yes}}~~

−

| {{Yes}}

−

~~| {{No}}~~

−

~~| {{No}}~~

−

~~| 0x76~~

−

~~| 0x3c~~

|-

−

~~|rowspan="3" | [[#Group C|C]]~~

+

|data-sort-value="1333453975"| [[#Apr 3 2012 11:52:55|Apr 3 2012 11:52:55]]

−

|data-sort-value="~~1216063532~~"| [[#~~Jul 14 2008 19~~:25:32|~~Jul 14 2008 19~~:25:32]]

+

|data-sort-value="z" {{Partial|vWii}}

−

|~~rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{No}}~~

−

~~|rowspan~~="~~3" {{Yes}}~~

−

~~|rowspan="3~~" {{Partial}}

−

|~~rowspan="3" {{Partial~~}}

−

~~|rowspan="3" {{Partial}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{No}}~~

−

~~|rowspan="3" {{No}}~~

−

~~|rowspan="3" | 0x76~~

−

~~|rowspan="3" | 0x3e~~

|-

−

~~|data-sort-value="1216063958"| [[#Jul 14 2008 19:32:38|Jul 14 2008 19:32:38]] ~~

+

|rowspan="2"| [[#Group B|B]]

−

|-

+

|data-sort-value="1181326629"| [[#Jun 8 2007 18:17:09|Jun 8 2007 18:17:09]]

−

~~|data-sort-value="1216930125"| [[#Jul 24 2008 20:08:45|Jul 24 2008 20:08:45]] ~~

+

|rowspan="2" {{Yes}}

−

|-

+

|rowspan="2" {{No}}

−

|rowspan="3" | [[#Group D|D]]

−

|data-sort-value="~~1215786867~~"| [[#~~Jul 11 2008 14~~:34:27|~~Jul 11 2008 14~~:34:27]]

−

|rowspan="~~3" {{No}}~~

−

~~|rowspan="3~~" {{Yes}}

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{Partial}}~~

−

~~|rowspan="3" {{Partial}}~~

−

~~|rowspan="3" {{Partial}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{Yes}}~~

−

~~|rowspan="3" {{No}}~~

−

~~|rowspan="3" | 0x76~~

−

~~|rowspan="3" | 0x40~~

−

|-

−

~~|data-sort-value="1216859413"| [[#Jul 24 2008 00:30:13|Jul 24 2008 00:30:13]] ~~

−

|-

−

~~|data-sort-value="1230126666"| [[#Dec 24 2008 13:51:06|Dec 24 2008 13:51:06]] ~~

−

|-

−

~~|rowspan="2" | [[#Group E|E]]~~

−

~~|data-sort-value="1227541149"| [[#Nov 24 2008 15:39:09|Nov 24 2008 15:39:09]]~~

−

|rowspan="2" {{No}}

|rowspan="2" {{Yes}}

−

~~|rowspan="2" {{Partial}}~~

−

~~|rowspan="2" {{Partial}}~~

−

~~|rowspan="2" {{Partial}}~~

|rowspan="2" {{Yes}}

Line 183: Line 143:

|rowspan="2" {{Yes}}

−

| ~~0x79~~

+

|rowspan="2" {{No}}

−

| ~~0x42~~

+

|rowspan="2" {{No}}

+

|rowspan="2" data-sort-value="118"| 0x76

+

|rowspan="2" data-sort-value="61" | 0x3d

+

| {{No}}

|-

−

|data-sort-value="~~1244015349~~"| [[#Jun ~~3 2009 07~~:49:09|Jun ~~3 2009 07~~:49:09]]

+

|data-sort-value="1181326810"| [[#Jun 8 2007 18:20:10|Jun 8 2007 18:20:10]]

−

| ~~0x79~~

+

| {{No}}

−

~~| 0x45~~

−

|}

−

~~=== Group A ===~~

−

Used in monolithic IOS versions (those prior to IOS28, obviously excluding stubbed IOS versions). As these versions have only a single ELF file for all modules, there is no single hash for the DI driver.

−

In this version, [[#0x8D DVDLowUnencryptedRead|0x8D DVDLowUnencryptedRead]] only accepted the start and end being between 0 and 0x14000, and IOCtls [[#0x95 DVDLowGetStatusRegister|0x95 DVDLowGetStatusRegister]] and [[#0x96 DVDLowGetControlRegister|0x96 DVDLowGetControlRegister]] and all IOCtlVs other than [[#0x8B DVDLowOpenPartition|0x8B DVDLowOpenPartition]] did not exist. [[#0x87|0x87]] and [[#0x7F DVDLowSetSpinupFlag|0x7F DVDLowSetSpinupFlag]] did exist as the current stubs.

−

This version will issue command 0xE0 to the drive if the error interrupt is set before a command runs (in addition to clearing the interrupt). It prints a message before it issues the command, but not if the issued command fails.

−

Furthermore, the IOSC [[syscalls]] seem to have weird IDs shifted up by 2; IOSC_Decrypt (used by AESdecryptHW) is 0x69 instead of 0x6b, IOSC_GenerateHash is 0x65 instead of 0x67, and IOSC_DeleteObject is 0x5a instead of 0x5c. Presumably, later versions added two syscalls before these{{check}} (and after 0x52, as that syscall has the same ID in later versions).

−

~~==== Oct 5 2006 17:41:21 ====~~

−

~~{| class="wikitable"~~

−

~~! MD5~~

−

~~| colspan="3"~~ {{~~Not tested|Varies~~}}

|-

−

~~! Thing~~

+

|rowspan="6" | [[#Group C|C]]

−

~~! Virtual address~~

+

|data-sort-value="1216063532"| [[#Jul 14 2008 19:25:32|Jul 14 2008 19:25:32]]

−

~~! Physical address~~

+

|rowspan="6" {{Yes}}

−

~~! Size~~

+

|rowspan="6" {{No}}

+

|rowspan="6" {{Yes}}

+

|rowspan="6" {{Partial}}

+

|rowspan="6" {{Partial}}

+

|rowspan="6" {{Partial}}

+

|rowspan="6" {{Yes}}

+

|rowspan="6" {{Yes}}

+

|rowspan="6" {{Yes}}

+

|rowspan="6" {{No}}

+

|rowspan="6" {{No}}

+

|rowspan="6" data-sort-value="118"| 0x76

+

|rowspan="6" data-sort-value="61" | 0x3d

+

| {{Yes}}

|-

−

| ~~Code (and entry point)~~

+

|data-sort-value="1216063958"| [[#Jul 14 2008 19:32:38|Jul 14 2008 19:32:38]]

−

| ~~20200000~~

+

| {{Yes}}

−

| ~~13580000~~

−

| ~~0x6704~~

|-

−

| ~~Data (ES vars)~~

+

|data-sort-value="1216930125"| [[#Jul 24 2008 20:08:45|Jul 24 2008 20:08:45]]

−

| ~~20207000~~

+

| {{Yes}}

−

| ~~13587000~~

−

| ~~0x140~~

|-

−

| ~~BSS (zero'd)~~

+

|data-sort-value="1333454416.1"| [[#Apr 3 2012 12:00:16 1|Apr 3 2012 12:00:161]]

−

| ~~20208000~~

+

|data-sort-value="z" {{Partial|vWii}}

−

| ~~13588000~~

−

| ~~0x2BE08~~

|-

−

| ~~Stack~~

+

|data-sort-value="1333454416.2"| [[#Apr 3 2012 12:00:16 2|Apr 3 2012 12:00:162]]

−

| ~~2022bd40~~

+

|data-sort-value="z" {{Partial|vWii}}

−

| ?

−

| ~~0x8000~~

|-

−

| ~~Protected heap~~

+

|data-sort-value="1333458700"| [[#Apr 3 2012 13:11:40|Apr 3 2012 13:11:40]]

−

| ~~20208020~~

+

|data-sort-value="z" {{Partial|vWii}}

−

| ?

−

| ~~0x4000~~

|-

−

| ~~Open heap~~

+

|rowspan="5" | [[#Group D|D]]

−

| ~~13400000~~

+

|data-sort-value="1215786867"| [[#Jul 11 2008 14:34:27|Jul 11 2008 14:34:27]]

−

| ?

+

|rowspan="5" {{No}}

−

| ~~0x18000~~

+

|rowspan="5" {{Yes}}

+

|rowspan="5" {{Yes}}

+

|rowspan="5" {{Partial}}

+

|rowspan="5" {{Partial}}

+

|rowspan="5" {{Partial}}

+

|rowspan="5" {{Yes}}

+

|rowspan="5" {{Yes}}

+

|rowspan="5" {{Yes}}

+

|rowspan="5" {{Yes}}

+

|rowspan="5" {{No}}

+

|rowspan="5" data-sort-value="118"| 0x76

+

|rowspan="5" data-sort-value="64"| 0x40

+

| {{Yes}}

+

|-

+

|data-sort-value="1216859413"| [[#Jul 24 2008 00:30:13|Jul 24 2008 00:30:13]]

+

| {{Yes}}

+

|-

+

|data-sort-value="1230126666"| [[#Dec 24 2008 13:51:06|Dec 24 2008 13:51:06]]

+

| {{Yes}}

+

|-

+

|data-sort-value="1333455694"| [[#Apr 3 2012 12:21:34|Apr 3 2012 12:21:34]]

+

|data-sort-value="z" {{Partial|vWii}}

+

|-

+

|data-sort-value="1333456261"| [[#Apr 3 2012 12:31:01|Apr 3 2012 12:31:01]]

+

|data-sort-value="z" {{Partial|vWii}}

+

|-

+

|rowspan="7" | [[#Group E|E]]

+

|data-sort-value="1227541149"| [[#Nov 24 2008 15:39:09|Nov 24 2008 15:39:09]]

+

|rowspan="7" {{No}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" {{Partial}}

+

|rowspan="7" {{Partial}}

+

|rowspan="7" {{Partial}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" {{Yes}}

+

|rowspan="7" data-sort-value="121"| 0x79

+

|data-sort-value="66"| 0x42

+

| {{No}}

+

|-

+

|data-sort-value="1239037807"| [[#Apr 6 2009 17:10:07|Apr 6 2009 17:10:07]]

+

|data-sort-value="68"| 0x44

+

| {{No}}

+

|-

+

|data-sort-value="1244015349"| [[#Jun 3 2009 07:49:09|Jun 3 2009 07:49:09]]

+

|data-sort-value="69"| 0x45

+

| {{Yes}}

+

|-

+

|data-sort-value="1330353596"| [[#Feb 27 2012 14:39:56|Feb 27 2012 14:39:56]]

+

|rowspan="4" data-sort-value="69.1"| 0x45<abbr title="Has change to IoctlVs 0x41 and 0x42>*</abbr>

+

| {{Yes}}

+

|-

+

|data-sort-value="1333375434"| [[#Apr 2 2012 14:03:54|Apr 2 2012 14:03:54]]

+

|data-sort-value="z" {{Partial|vWii}}

+

|-

+

|data-sort-value="1333457403"| [[#Apr 3 2012 12:50:03|Apr 3 2012 12:50:03]]

+

|data-sort-value="z" {{Partial|vWii}}

+

|-

+

|data-sort-value="1333458048"| [[#Apr 3 2012 13:00:48|Apr 3 2012 13:00:48]]

+

|data-sort-value="z" {{Partial|vWii}}

|}

−

=== ~~Group B~~ ===

+

=== vWii note ===

−

~~Adds [~~[#~~0x95 DVDLowGetStatusRegister|0x95 DVDLowGetStatusRegister]~~], and ~~adds~~ ~~all~~ of the ~~IOCtlVs~~ (~~which are also exposed~~ as ~~IOCtls~~): [[#0x90 DVDLowGetNoDiscOpenPartitionParams|0x90 DVDLowGetNoDiscOpenPartitionParams]], [[#0x91 DVDLowNoDiscOpenPartition|0x91 DVDLowNoDiscOpenPartition]], [[#0x92 DVDLowGetNoDiscBufferSizes|0x92 DVDLowGetNoDiscBufferSizes]], [[#0x93 DVDLowOpenPartitionWithTmdAndTicket|0x93 DVDLowOpenPartitionWithTmdAndTicket]], and [[#0x94 DVDLowOpenPartitionWithTmdAndTicketView|0x94 DVDLowOpenPartitionWithTmdAndTicketView]]. It also allows all 3 ranges in [[#0x8D DVDLowUnencryptedRead|0x8D DVDLowUnencryptedRead]].

+

vWii IOS versions are also listed here. See [https://wiiubrew.org/wiki/Title_database#00000007_and_000700xx:_Virtual_Wii_titles WiiUBrew's title database] for a list of vWii IOS versions. There is one vWii version of the DI module for each live regular version. Every vWii version has 2 differences from the corresponding regular version: they time out after 35000000µs instead of 15000000µs (perhaps due to Starlet/Starbuck clock rate differences?{{check}}), and they check for a disc ID of <code>401A</code> in the post-DVDLowReadDiskID read code (treating such a disc as an unencrypted "GAMECUBE or other" disc, instead of a disc that needs to have encryption information read).

−

The various allocation functions were tweaked; rather than having separate functions for different alignments, they just take an alignment parameter. They also no longer return a bool and modify a parameter, instead just returning a pointer.

+

=== Group A ===

−

~~Added a warning if the call to clearDriveErrorInterupt fails.~~ In this version, ~~it can theoretically fail (~~as ~~it sends an actual 0xE0 command), but later versinos keep that message even after they stop sending a command~~.

+

In this version, [[#0x8D DVDLowUnencryptedRead|0x8D DVDLowUnencryptedRead]] only accepted the start and end being between 0 and 0x14000, and IOCtls [[#0x95 DVDLowGetStatusRegister|0x95 DVDLowGetStatusRegister]] and [[#0x96 DVDLowGetControlRegister|0x96 DVDLowGetControlRegister]] and all IOCtlVs other than [[#0x8B DVDLowOpenPartition|0x8B DVDLowOpenPartition]] did not exist. [[#0x87|0x87]] and [[#0x7F DVDLowSetSpinupFlag|0x7F DVDLowSetSpinupFlag]] did exist as the current stubs.

−

~~Added 5 unused debug functions (starting at 20201a6c) that print out various messages, after~~ the (~~also unused) functions that print info relating~~ to ~~stack usage. All of these functions continue to exist for~~ the ~~rest of the versions~~. ~~Removed some other unused debug methods (dumpDiskInfo,~~ a ~~hex dump method~~, ~~and a method that printed info about a partion, previously starting at 20202510, 20202540, and 202025f4). Removed printIOS_OpenError (20201f28), which was used~~ if ~~/dev/es failed to open. Removed initBytes (20202590) which filled memory with 0xDEADBEEFCAFEBABE~~.

+

This version will issue command 0xE0 to the drive if the error interrupt is set before a command runs (in addition to clearing the interrupt). It prints a message before it issues the command, but not if the issued command fails.

−

~~The function that a hash of some data (located at 20202478 in this version and 20201778 before~~, ~~and also is~~ the ~~only function that calls IOSC_GenerateHash~~) ~~changed its fatal error messages for invalid input: "Hash array address~~ is ~~not 64 byte aligned" became "Address~~ of ~~array to be hashed~~ is ~~not 64 byte aligned"~~ and "Hash array length must be >= 64" became "Number of bytes to be hashed must be >= 64". The function was also changed to copy the computed hash to a parameter (always returning true if computation was successful) instead of ~~comparing the computed hash with the parameter (returning false if computation fails or there was a mismatch)~~. ~~New functions were~~ added ~~using this function~~ that ~~verify one (20202554) or multiple hashes (20202584~~).

+

Furthermore, the IOSC [[syscalls]] seem to have weird IDs shifted up by 2; IOSC_Decrypt (used by AESdecryptHW) is 0x69 instead of 0x6b, IOSC_GenerateHash is 0x65 instead of 0x67, and IOSC_DeleteObject is 0x5a instead of 0x5c. Presumably, later versions added two syscalls before these{{check}} (and after 0x52, as that syscall has the same ID in later versions).

−

~~doBlockRead prints "(doBlockRead) Data subblock %d failed to verify against H0 Hash" instead~~ of ~~"(doBlockRead) Data failed to verify against H0 Hash" if a hash fails. Note that the subsequent call to diFatalError still uses the old message. Additionally~~, ~~the coutner for the loop changed direction since it can show up in that message (presumably a compiler optimisation no longer being possible~~, ~~instead of an actual change)~~.

+

For the sake of organization, prelaunch versions are also listed here, although they have slight differences.

−

Partition-related code seems to have changed{{check}} (printing less messages, among other things), but it's hard to make sense of what's an actual change versus code that was only added for the new IoctlVs.

+

==== Aug 10 2006 11:24:50 ====

−

~~Removed a variable that stored~~ the ~~H3 hashes offset that was never read (previously located at 20233df4)~~. ~~However, they didn't remove an even more useless H3 hashes size variable right after it (previously at 20233df8, now at 2022ddb4), for some reason~~.

+

Found in [[IOS4]] v3 in the [[Prelaunch System Menu|insert startup disc]] Wii's NAND. Not available on NUS.

−

~~ES_DiVerifyWrapper now supports ticket views in addition~~ to ~~tickets~~.

+

[[#0x8D DVDLowUnencryptedRead|0x8D]] can only be used with start and end offsets between 0x10000 and 0x14001 or bytes 0x40000 through 0x50003. The size alignment check means this doesn't actually allow reading more bytes past the end. This means that the PPC would only have access to the [[Wii Disc]]'s partitions information and such, and not header bytes beyond 0x20 (the first 0x20 bytes are accessible through [[#0x70 DVDLowReadDiskID|0x70 DVDLowReadDiskID]]), i.e. the game title and encryption information cannot be accessed.

−

~~Added several ES wrappers, most unused:~~

+

{| class="wikitable"

−

* ES_GetStoredContent (~~0x32~~ and ~~0x33, at 20204f34~~)

+

! SHA-1

−

* ES_GetStoredTmd (~~0x34 and 0x35, at 20205120~~)

+

| colspan="3"| 5032764e723e0db7e6d7f434219c9d50289a1cab

−

* ES_GetSharedContents (~~0x36 and 0x37, at 20204fe4~~)

+

|-

−

* ES_DeleteSharedContent (0x38, at 20205308)

+

! Thing

−

* ES_DiGetTmd (0x39 and 0x3a, at 202055dc)

+

! Virtual address

−

* ES_DiVerify_TicketView (0x3b, at 202057f0); this function actually is used.

+

! Physical address

−

* ES_SetupStreamKey (0x3c, at 20205b58)

+

! Size

−

* ES_DeleteStreamKey (0x3d, at 20205c18)

+

|-

−

+

| Code (and entry point)

−

~~Also:~~

+

| 20200000

−

+

| 13540000

−

* ES_DiGetTmdView (0x1a, at 20205668) now uses 0x19 if the size is not specified.

+

| 0x6540

−

* ES_DiGetTicketView (0x1b, at 20205578 and previously 20204104) now allows the first parameter to be null. ~~This function still is not used.~~

+

|-

+

| Data (ES vars)

+

| 20207000

+

| 13547000

+

| 0x140

+

|-

+

| BSS (zero'd)

+

| 20208000

+

| 13548000

+

| 0x2BE08

+

|-

+

| Stack

+

| 2022bd40

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 20208020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13400000

+

| ?

+

| 0x18000

+

|}

−

==== ~~Jun 8 2007 18~~:17:09 ====

+

==== Aug 13 2006 17:33:44 ====

−

~~Used by early builds of certain IOS versions~~. ~~No current version of IOS uses this build~~.

+

Found in [[IOS9]] v1 in the [[Prelaunch System Menu|insert startup disc]] Wii's NAND. Not available on NUS.

−

* [[IOS30]] prior to v2816 (~~stubbing)~~

+

A hash error in doBlockRead ("Data failed to verify against H0 Hash"/"H0 Hashes failed to verify"/"H1 Hashes failed to verify"/"H2 Hashes failed to verify") or openPartition ("Verifying H3 hashes against H4 hash failed") results in diFatalError being called, while the Aug 10 build simply returns a security error.

−

* [[IOS31]] prior to ~~v3088~~

−

* [[IOS33]] prior to ~~v2832 (v1040 only)~~

−

* [[IOS34]] prior to ~~v3087 (v1039 only)~~

−

* [[IOS35]] prior to ~~v3088 (v1040 only~~)

−

* [[IOS36]] prior to v3090 (v1042 only)

−

* [[IOS37]] prior to v3609 (~~v2070 only~~)

−

~~This~~ version ~~will issue command 0xE0~~ to ~~the drive if the~~ error ~~interrupt is set before a command runs~~, ~~and additionally prints a a second message if that fails in DiIoctl~~ (~~which exists in all subsequent versions~~, ~~even those that do not actually issue a command so it cannot ever fail~~).

+

[[#0x8D DVDLowUnencryptedRead|0x8D]] now is able to access data between 0 and 0x14000.

+

In this version only, [[#0x71 DVDLowRead|0x71 DVDLowRead]] can be used with non-secure discs, simply calling doRawDiskRead. In versions both before and after, attempting to do this returns a security error.

+

Added ES wrappers:

+

* ES_Sign (0x30, at 202045e0)

+

* ES_VerifySign (0x31, at 20204650)

{| class="wikitable"

−

! ~~MD5~~

+

! SHA-1

−

| colspan="3"| ~~c808d8b90a74a4ee808b199a1b1e8d53~~

+

| colspan="3"| 9dce75d14e01f6efc8d56821c139490792b8b3f9

|-

! Thing

Line 303: Line 337:

| Code (and entry point)

| 20200000

−

| ~~139B0000~~

+

| 13580000

−

| ~~0x80E0~~

+

| 0x670C

|-

| Data (ES vars)

−

| ~~20209000~~

+

| 20207000

−

| ~~139B9000~~

+

| 13587000

| 0x140

|-

| BSS (zero'd)

−

| ~~2020A000~~

+

| 20208000

−

| ~~139BA000~~

+

| 13588000

−

| ~~0x2BDC4~~

+

| 0x2BE08

|-

| Stack

−

| ~~2022ddc4~~

+

| 2022bd40

| ?

| 0x8000

|-

| Protected heap

−

| ~~2020a020~~

+

| 20208020

| ?

| 0x4000

|-

| Open heap

−

| ~~13600000~~

+

| 13400000

| ?

| 0x18000

|}

−

=== ~~Group C~~ ===

+

==== Oct 5 2006 17:41:21 ====

−

~~Removes IOCtlVs [[#0x90 DVDLowGetNoDiscOpenPartitionParams|0x90]]~~, ~~[[#0x91 DVDLowNoDiscOpenPartition|0x91]], and [[#0x92 DVDLowGetNoDiscBufferSizes|0x92]] (but they are still accessible as IOCtls~~). ~~([[#0x93 DVDLowOpenPartitionWithTmdAndTicket|0x93]] and [[#0x94 DVDLowOpenPartitionWithTmdAndTicketView|0x94]] remain available as IOCtlVs~~.)

+

Used in monolithic IOS versions (those prior to IOS28, obviously excluding stubbed IOS versions). As these versions have only a single ELF file for all modules, there is no single hash for the DI driver.

−

The ~~thunk function for memcpy are~~ now ~~located between thunks for IOS_FlushDCache and IOSC_GenerateHash (at 20205b80)~~ instead of ~~request_di_interrupt and time_now~~ (~~at 20205dc0~~) ~~in group B~~.

+

The main thread's priority is now 0x54 instead of 0x50. DVDLowReset now also skips the check for clearing the drive error (in addition to DVDLowRequestError).

−

~~==== Jul 14 2008 19:25:32 ====~~

+

openPartition now allocates and reads 0x2c0 bytes for the [[Wii Disc#Partition|partition]] (instead of 0x2bc bytes), meaning the "Data size >> 2" field was not read before.

−

~~Replaces the Jun 8 build for IOS versions other than IOS37:~~

+

{| class="wikitable"

−

+

! SHA-1

−

* [[IOS31]] starting with v3088

+

| colspan="3" {{Not tested|Varies}}

−

* [[IOS33]] starting with v2832

−

* [[IOS34]] starting with v3087

−

* [[IOS35]] starting with v3088

−

* [[IOS36]] starting with v3090

−

{| class="wikitable"

−

! ~~MD5~~

−

| colspan="3"| ~~366021c440e6377044f8ca8c94e2e6bc~~

|-

! Thing

Line 359: Line 385:

| Code (and entry point)

| 20200000

−

| ~~139B0000~~

+

| 13580000

−

| ~~0x7D74~~

+

| 0x6704

|-

| Data (ES vars)

−

| ~~20208000~~

+

| 20207000

−

| ~~139B8000~~

+

| 13587000

| 0x140

|-

| BSS (zero'd)

−

| ~~20209000~~

+

| 20208000

−

| ~~139B9000~~

+

| 13588000

−

| ~~0x2BDC4~~

+

| 0x2BE08

|-

| Stack

−

| ~~2022cdc4~~

+

| 2022bd40

| ?

| 0x8000

|-

| Protected heap

−

| ~~20209020~~

+

| 20208020

| ?

| 0x4000

|-

| Open heap

−

| ~~13600000~~

+

| 13400000

| ?

| 0x18000

|}

−

==== ~~Jul 14 2008 19~~:32:38 ====

+

==== Apr 3 2012 11:52:55 ====

−

~~Only found in~~ [[~~IOS28~~]] (~~which is the first build that split things into modules~~). ~~The only difference between~~ the ~~build from 7 minutes earlier is that~~ the ~~open heap~~ is at ~~address 0x13800000 (0x9c << 0x15~~) instead of ~~address 0x13600000 (0x9b << 0x15). This is~~ a ~~1-byte difference at offset 920 in~~ the ~~file or at address 202007fc.~~ (~~There are technically 2~~ other ~~differences between the~~ versions~~, for the build date strings~~.)

+

Wii U vWii variant of [[#Oct 5 2006 17:41:21|Oct 5 2006 17:41:21]]. Used in monolithic IOS versions (prior to IOS28). Has the normal [[#vWii note|vWii changes]], and additionally, the string constant <code>/dev/es</code> is located in a mutable location (at 20207020) instead of at a constant location with the other string constants (as in all other versions).

{| class="wikitable"

−

! ~~MD5~~

+

! SHA-1

−

| colspan="3"| ~~49f714dd1a0985fbd4c44ee9fe4f945a~~

+

| colspan="3" {{Not tested|Varies}}

|-

! Thing

Line 403: Line 429:

| Code (and entry point)

| 20200000

−

| ~~139B0000~~

+

| 13580000

−

| ~~0x7D74~~

+

| 0x6718

|-

| Data (ES vars)

−

| ~~20208000~~

+

| 20207000

−

| ~~139B8000~~

+

| 13587000

| 0x140

|-

| BSS (zero'd)

−

| ~~20209000~~

+

| 20208000

−

| ~~139B9000~~

+

| 13588000

−

| ~~0x2BDC4~~

+

| 0x2BE08

|-

| Stack

−

| ~~2022cdc4~~

+

| 2022bd40

| ?

| 0x8000

|-

| Protected heap

−

| ~~20209020~~

+

| 20208020

| ?

| 0x4000

|-

| Open heap

−

| ~~13800000~~

+

| 13400000

| ?

| 0x18000

|}

−

===~~= Jul 24 2008 20:08:45 =~~===

+

=== Group B ===

−

~~Only found~~ in [[~~IOS38~~]].

+

Adds [[#0x95 DVDLowGetStatusRegister|0x95 DVDLowGetStatusRegister]], and adds all of the IOCtlVs (which are also exposed as IOCtls): [[#0x90 DVDLowGetNoDiscOpenPartitionParams|0x90 DVDLowGetNoDiscOpenPartitionParams]], [[#0x91 DVDLowNoDiscOpenPartition|0x91 DVDLowNoDiscOpenPartition]], [[#0x92 DVDLowGetNoDiscBufferSizes|0x92 DVDLowGetNoDiscBufferSizes]], [[#0x93 DVDLowOpenPartitionWithTmdAndTicket|0x93 DVDLowOpenPartitionWithTmdAndTicket]], and [[#0x94 DVDLowOpenPartitionWithTmdAndTicketView|0x94 DVDLowOpenPartitionWithTmdAndTicketView]]. It also allows all 3 ranges in [[#0x8D DVDLowUnencryptedRead|0x8D DVDLowUnencryptedRead]].

−

~~Identical to the Jul 14 2008 19:25:32 build apart from the priority of the main thread being set to 0x1b instead of 0x54 (all versions other~~ than ~~this and Jul 24 2008 00:30:13 use 0x54)~~. ~~This results in byte differences at address 20207c2c (file offset 7d54)~~, ~~as well as in some ELF header area (file offset 114), and the timestamps~~.

+

The various allocation functions were tweaked; rather than having separate functions for different alignments, they just take an alignment parameter. They also no longer return a bool and modify a parameter, instead just returning a pointer.

−

~~{| class="wikitable"~~

+

Added a warning if the call to clearDriveErrorInterupt fails. In this version, it can theoretically fail (as it sends an actual 0xE0 command), but later versinos keep that message even after they stop sending a command.

−

~~! MD5~~

+

−

~~| colspan="3"| ef1a8c1270f82e0993f504f1e17a5152~~

+

Added 5 unused debug functions (starting at 20201a6c) that print out various messages, after the (also unused) functions that print info relating to stack usage. All of these functions continue to exist for the rest of the versions. Removed some other unused debug methods (dumpDiskInfo, a hex dump method, and a method that printed info about a partion, previously starting at 20202510, 20202540, and 202025f4). Removed printIOS_OpenError (20201f28), which was used if /dev/es failed to open. Removed initBytes (20202590) which filled memory with 0xDEADBEEFCAFEBABE.

−

|-

+

−

~~! Thing~~

+

The function that a hash of some data (located at 20202478 in this version and 20201778 before, and also is the only function that calls IOSC_GenerateHash) changed its fatal error messages for invalid input: "Hash array address is not 64 byte aligned" became "Address of array to be hashed is not 64 byte aligned" and "Hash array length must be >= 64" became "Number of bytes to be hashed must be >= 64". The function was also changed to copy the computed hash to a parameter (always returning true if computation was successful) instead of comparing the computed hash with the parameter (returning false if computation fails or there was a mismatch). New functions were added using this function that verify one (20202554) or multiple hashes (20202584).

−

~~! Virtual address~~

+

−

~~! Physical address~~

+

doBlockRead prints "(doBlockRead) Data subblock %d failed to verify against H0 Hash" instead of "(doBlockRead) Data failed to verify against H0 Hash" if a hash fails. Note that the subsequent call to diFatalError still uses the old message. Additionally, the coutner for the loop changed direction since it can show up in that message (presumably a compiler optimisation no longer being possible, instead of an actual change).

−

~~! Size~~

+

−

|-

+

Partition-related code was split into several functions (and fewer functions are now inlined), due to the addition of functions for the new IoctlVs. Actual behavior seems to be identical, apart from log messages using new function names.

−

~~| Code~~ (and ~~entry point~~)

+

−

~~| 20200000~~

+

Removed a variable that stored the H3 hashes offset that was never read (previously located at 20233df4). However, they didn't remove an even more useless H3 hashes size variable right after it (previously at 20233df8, now at 2022ddb4), for some reason.

−

~~| 139B0000~~

+

−

~~| 0x7D74~~

+

ES_DiVerifyWrapper now supports ticket views in addition to tickets.

−

|-

+

−

| Data (~~ES vars~~)

+

Added several ES wrappers, most unused:

−

~~| 20208000~~

+

* ES_GetStoredContent (0x32 and 0x33, at 20204f34)

−

~~| 139B8000~~

+

* ES_GetStoredTmd (0x34 and 0x35, at 20205120)

−

~~| 0x140~~

+

* ES_GetSharedContents (0x36 and 0x37, at 20204fe4)

−

|-

+

* ES_DeleteSharedContent (0x38, at 20205308)

−

~~| BSS~~ (~~zero'd~~)

+

* ES_DiGetTmd (0x39 and 0x3a, at 202055dc)

−

~~| 20209000~~

+

* ES_DiVerify_TicketView (0x3b, at 202057f0); this function actually is used.

−

~~| 139B9000~~

+

* ES_SetupStreamKey (0x3c, at 20205b58)

−

~~| 0x2BDC4~~

+

* ES_DeleteStreamKey (0x3d, at 20205c18)

−

|-

−

~~| Stack~~

−

~~| 2022cdc4~~

−

~~| ?~~

−

~~| 0x8000~~

−

|-

−

~~| Protected heap~~

−

~~| 20209020~~

−

~~| ?~~

−

~~| 0x4000~~

−

|-

−

~~| Open heap~~

−

~~| 13600000~~

−

~~| ?~~

−

~~| 0x18000~~

−

|}

−

~~=== Group D ===~~

+

Also:

−

~~Adds [[#0x96 DVDLowGetControlRegister|0x96 DVDLowGetControlRegister]]~~. ~~Note that although these versions are earlier than group C, they have more features~~.

+

* ES_DiGetTmdView (0x1a, at 20205668) now uses 0x19 if the size is not specified.

+

* ES_DiGetTicketView (0x1b, at 20205578 and previously 20204104) now allows the first parameter to be null. This function still is not used.

−

~~diFatalError attempts to write 0xdeadbeef to 0xffff0000 before it calls CancelThread and enters an infinite loop.~~ ~~The message was also changed from "(diFatalError) Fatal error in DI driver~~: ~~%s\nExiting\n" to "(diFatalError) *** DI FATAL ERROR~~: %s\nExiting\n". Something about this changed compiler or decompiler behavior, changing the way uses of that function affect code flow which makes some changes harder to spot and creates a lot of changes that aren't actually changes.

+

==== Jun 8 2007 18:17:09 ====

−

~~clearDriveErrorInterupt and doWaitForCoverClose were moved to be before handleDiCommand instead~~ of ~~after (group C has them at 2020146c/2020149c, and now they are at 20200b80/20200b98)~~. ~~Furthermore, clearDriveErrorInterupt no longer issues a 0xE0 command to the drive, and always returns success (however, the rest~~ of ~~the code still assumes it can fail, printing a warning in that case)~~.

+

Used by early builds of certain IOS versions. No current version of IOS uses this build.

−

~~Improved error messages in doBlockRead. The debug messages for when a hash failed now also print the first parameter as a pointer (e.g. "~~(~~doBlockRead~~) ~~Data subblock %d failed~~ to ~~verify against H0 Hash~~ (~~%08x~~)~~"). The fatal error message for the first case was changed from "Data failed to verify against H0 Hash" to "Data subblock failed~~ to ~~verify against H0 Hash"~~ (~~the other messages of the form "H0 Hashes failed to verify" were not changed~~)~~. Additionally, if the call~~ to ~~doRawDiskRead fails, the message "~~(~~doBlockRead~~) ~~doRawDiskRead failed, rc=%d\n" is printed~~ (~~previously nothing was printed~~)~~; the return value is still that of doRawDiskRead in that case. Lastly, when a hash fails, the parameter is memset with value 0xA5~~ prior to ~~calling diFatalError.~~

+

* [[IOS30]] prior to v2816 (stubbing)

+

* [[IOS31]] prior to v3088

+

* [[IOS33]] prior to v2832 (v1040 only)

+

* [[IOS34]] prior to v3087 (v1039 only)

+

* [[IOS35]] prior to v3088 (v1040 only)

+

* [[IOS36]] prior to v3090 (v1042 only)

+

* [[IOS37]] prior to v3609 (v2070 only)

−

~~The implementation of DVDLowRead no longer calls doReadHashEncryptedState if it hasn't been called before (before it checks~~ if the ~~disc~~ is a ~~secure disc). It never needed to anyways, as it is called after DVDLowReadDiskID~~, ~~which *must* be called first. It was also moved to be before doNonConfirmingDiscRead~~ and ~~doReadHashEncryptedState~~ (~~at 202029e8) instead of after them (at 20202950~~).

+

This version will issue command 0xE0 to the drive if the error interrupt is set before a command runs, and additionally prints a a second message if that fails in DiIoctl (which exists in all subsequent versions, even those that do not actually issue a command so it cannot ever fail).

−

doReadHashEncryptedState only considers a disc as secure (and only enables hashing) if both disable hashing (byte 0x60 of the [[Wii Disc]]) and disable encryption (byte 0x61) are false (and also acts as if hashing were disabled if encryption is disabled). Previously, only the hashing byte controlled whether the disc was secure and hashing was enabled.

+

{| class="wikitable"

−

+

! SHA-1

−

The 0x18000-byte H3 hashes buffer is cleared by commonOpenPartition with value 0xA5 if a non-encrypted disc is used (disc encryption at byte 0x61 on the [[Wii Disc]] is 0 and the partition's H3 offset is also 0; disabling encryption but having an H3 offset set will result in a fatal error in both this version and earlier versions).

+

| colspan="3"| 260be947a08f57f6ef51086427fe222fd4040399

−

+

|-

−

~~Some more ES wrappers were added:~~

+

! Thing

−

* 0x3E (at 2020525c)

+

! Virtual address

−

* ES_GetV0TicketFromView (0x40, at 20205068)

+

! Physical address

−

+

! Size

−

~~==== Jul 11 2008 14:34:27 ====~~

+

|-

−

~~Used by several IOS builds:~~

−

* [[IOS37]] starting with v2816

−

* [[IOS50]] v4889 (v5120 is a stub)

−

* [[IOS51]] v4633 (v4864 is a stub)

−

* [[IOS52]] v5661 (v5888 is a stub)

−

* [[IOS53]] (all versions)

−

* [[IOS55]] (all versions)

−

{| class="wikitable"

−

! ~~MD5~~

−

| colspan="3"| ~~382d4a5cafdb1e28ba039d25db7c4c1f~~

−

|-

−

! Thing

−

! Virtual address

−

! Physical address

−

! Size

−

|-

| Code (and entry point)

| 20200000

| 139B0000

−

| ~~0x8088~~

+

| 0x80E0

|-

| Data (ES vars)

Line 549: Line 547:

|}

−

==== ~~Jul 24 2008 00~~:30:13 ====

+

==== Jun 8 2007 18:20:10 ====

−

~~Only found in [[IOS48]].~~

−

~~Identical to~~ the ~~Jul 11 2008 14~~:34:27 build ~~apart~~ from the ~~priority of~~ the ~~main thread being set to 0x1b~~ instead of ~~0x54~~ (~~all versions other than this and Jul 24 2008 20:08:45 use 0x54~~). This ~~results in~~ byte ~~differences~~ at ~~address 20207f40 (file~~ offset ~~8068), as well as~~ in ~~some ELF header area~~ (~~file offset 114~~)~~, and the timestamps~~.

+

Only found in [[IOS28]] version 1288 (which is the first build that split things into modules). This version is not present on NUS, but can be found on the update partition of some discs, such as ''LEGO Star Wars: The Complete Saga'' and ''Marble Saga: Kororinpa''. The only difference between the build from the earlier build is that the open heap is at address 0x13800000 (0x9c << 0x15) instead of address 0x13600000 (0x9b << 0x15). This is a 1-byte difference at offset bfc in the file or at address 20200ad4. (There are also differences for the build dates).

{| class="wikitable"

−

! ~~MD5~~

+

! SHA-1

−

| colspan="3"| ~~108011e89e557d4e8adf1a02f87cb8ea~~

+

| colspan="3"| fb308a9a1d9341df9517db155f4383162325dcc0

|-

! Thing

Line 567: Line 563:

| 20200000

| 139B0000

−

| ~~0x8088~~

+

| 0x80E0

|-

| Data (ES vars)

Line 585: Line 581:

|-

| Protected heap

−

| ~~2020a020~~

+

| 2020A020

| ?

| 0x4000

|-

| Open heap

−

| ~~13600000~~

+

| 13800000

| ?

| 0x18000

|}

−

==== ~~Dec 24~~ 2008 13:51:06 ====

+

=== Group C ===

+

Removes IOCtlVs [[#0x90 DVDLowGetNoDiscOpenPartitionParams|0x90]], [[#0x91 DVDLowNoDiscOpenPartition|0x91]], and [[#0x92 DVDLowGetNoDiscBufferSizes|0x92]] (but they are still accessible as IOCtls). ([[#0x93 DVDLowOpenPartitionWithTmdAndTicket|0x93]] and [[#0x94 DVDLowOpenPartitionWithTmdAndTicketView|0x94]] remain available as IOCtlVs.)

+

The thunk function for memcpy are now located between thunks for IOS_FlushDCache and IOSC_GenerateHash (at 20205b80) instead of request_di_interrupt and time_now (at 20205dc0) in group B.

+

==== Jul 14 2008 19:25:32 ====

−

~~Used in all~~ versions ~~of [[IOS41]], [[IOS43]], [[IOS45]], and [[IOS46]].~~

+

Replaces the Jun 8 build for IOS versions other than IOS37:

−

~~Rebuild~~ with ~~no changes (other than the timestamps) of Jul 11 2008 14:34:27.~~

+

* [[IOS31]] starting with v3088

+

* [[IOS33]] starting with v2832

+

* [[IOS34]] starting with v3087

+

* [[IOS35]] starting with v3088

+

* [[IOS36]] starting with v3090

{| class="wikitable"

−

! ~~MD5~~

+

! SHA-1

−

| colspan="3"| ~~72122c88cdcd4279cc09e197d3079624~~

+

| colspan="3"| 57667279972205462da427535a75a913574f2798

|-

! Thing

Line 613: Line 619:

| 20200000

| 139B0000

−

| ~~0x8088~~

+

| 0x7D74

|-

| Data (ES vars)

−

| ~~20209000~~

+

| 20208000

−

| ~~139B9000~~

+

| 139B8000

| 0x140

|-

| BSS (zero'd)

−

| ~~2020A000~~

+

| 20209000

−

| ~~139BA000~~

+

| 139B9000

| 0x2BDC4

|-

| Stack

−

| ~~2022ddc4~~

+

| 2022cdc4

| ?

| 0x8000

|-

| Protected heap

−

| ~~2020a020~~

+

| 20209020

| ?

| 0x4000

Line 641: Line 647:

|}

−

=== ~~Group E~~ ===

+

==== Jul 14 2008 19:32:38 ====

−

The code that checks H0/H1/H2 hashes was moved into the kernel, using [[IOS/Syscalls|syscall]] 0x77 (IOSC_CheckDiHashes). H3 hashes are still present. It's not clear if the actual hashing behavior changed{{check}}.

−

~~Wrappers for ES IoctlVs 0x41 (at 20205ba4 in~~ 2008 ~~and 20205c58 in 2009) and 0x42 (at 20205b44 in 2008 and 20205bf8 in 2009) were added.~~

−

Instructions for syscalls 0x77, 0x78, and 0x79 were added, though only 0x77 is used. Note that these are out of order; 0x77 is at the end of the list at 202042d0 while 0x78 and 0x79 are wedged between 0x5a and 0x5b at 202041e0 for some reason.

−

~~==== Nov 24 2008 15~~:39:09 ====

−

~~Used in the first builds of a few IOS versions:~~

−

* [[~~IOS56~~]] ~~v4890 only~~

+

Only found in [[IOS28]] (which is the first build that split things into modules). The only difference between the build from 7 minutes earlier is that the open heap is at address 0x13800000 (0x9c << 0x15) instead of address 0x13600000 (0x9b << 0x15). This is a 1-byte difference at offset 924 in the file or at address 202007fc. (There are technically 2 other differences between the versions, for the build date strings.)

−

* [[IOS57]] v5404 only

−

* [[IOS60]] v6174 only (~~other version~~ is a ~~stub~~)

−

* [[IOS61]] v4890 only

{| class="wikitable"

−

! ~~MD5~~

+

! SHA-1

−

| colspan="3"| ~~48e1be8f767feb59cbc51aa4329d735a~~

+

| colspan="3"| 92b9a637383729b25fbcb663f2895f66c6d9c987

|-

! Thing

Line 670: Line 663:

| 20200000

| 139B0000

−

| ~~0x7F00~~

+

| 0x7D74

|-

| Data (ES vars)

Line 693: Line 686:

|-

| Open heap

−

| ~~13600000~~

+

| 13800000

| ?

| 0x18000

|}

−

==== ~~Jun 3 2009 07~~:49:09 ====

+

==== Jul 24 2008 20:08:45 ====

+

Only found in [[IOS38]]. Note that this also has a version string of <code>$IOSVersion: DIP: 07/24/08 20:08:44 64M $</code>, probably just due to the two timestamps being determined at separate instants.

−

~~Used in several IOS versions, and also updated versions~~ of ~~builds that used~~ the ~~Nov 24 2008 version.~~

+

Identical to the Jul 14 2008 19:25:32 build apart from the priority of the main thread being set to 0x1b instead of 0x54 (all versions other than this and Jul 24 2008 00:30:13 use 0x54). This results in byte differences at address 20207c2c (file offset 7d54), as well as in some ELF header area (file offset 114), and the timestamps.

−

* [[IOS56]] starting with v5405

−

* [[IOS57]] starting with v5661

−

* [[IOS61]] starting with v5405

−

* [[IOS70]] v6687 (~~v6912 is a stub)~~

−

* [[IOS80]] in all versions

−

~~No changes to the actual driver code from the Nov~~ 24 2008 ~~version, but some of the ES wrapper code changed~~. ~~These also cause string constants to shift, which makes~~ byte ~~comparisons slightly annoying. The changes:~~

−

* ES_AddTicket (~~20204514~~, ~~Ioctlv 0x01~~) ~~no longer always uses a size of 0x2a4~~, ~~but will instead use 0x2a4 plus a 32-bit size at offset 0x2a8 if~~ the ~~byte at offset 0x1bc is nonzero~~.

−

* ES_GetTicketFromView (20204fc0, Ioctlvs 0x43 and 0x44) was added

−

* Ioctlv 0x45 (20205cb8) was added

{| class="wikitable"

−

! ~~MD5~~

+

! SHA-1

−

| colspan="3"| ~~89f7dc21f07e2cae97c3a571b23d8abd~~

+

| colspan="3"| b4cdc54a5912d64f9ef1e516931ab32d64677a9c

|-

! Thing

Line 726: Line 709:

| 20200000

| 139B0000

−

| ~~0x7FF0~~

+

| 0x7D74

|-

| Data (ES vars)

Line 754: Line 737:

|}

−

== ~~IoctlVs~~ ==

+

==== Apr 3 2012 12:00:16 1 ====

−

~~An incorrect size or alignment, or an incorrect in count or out count, will result in a return value of 0x80.~~ ~~Commands not listed here will cause a hang.~~

−

IoctlVs and Ioctls both go to one shared function that actually handles them which takes a diCommand; IoctlV is used when there are multiple pointers being passed to simplify conversion from virtual to physical addresses (which happens on the PPC side in both Nintendo's and libogc's IoctlV function). The IoctlVs will modify the passed diCommand to have additional parameters, noted in yellow. This means that in some cases the Ioctl can be used directly.

−

=== ~~0x8B DVDLowOpenPartition~~ ===

−

~~Opens a partition, including verifying it through~~ [[:~~/dev/es~~]] (the ~~resulting~~ [[~~:/dev/es~~#~~Error_codes~~|~~error code~~]] ~~will be written to the specified location, even if it is 0)~~. ~~DVDLowReadDiskID needs to have been called beforehand.~~

+

Wii U vWii variant of [[#Jul 14 2008 19:25:32|Jul 14 2008 19:25:32]], with the normal [[#vWii note|vWii changes]]. Used by [[IOS31]], [[IOS33]], [[IOS34]], [[IOS35]], and [[IOS36]].

−

~~Returns 0x80 if DVDLowReadDiskID has not been called~~, ~~or a partition is already open~~, ~~0x20 if allocations fail or the partition does not pass some DI security checks (valid cert offset~~, ~~valid tmd offset, presence of hashes, presense of tmd)~~, and ~~0x40 for an ES error.~~

−

~~This command will clear the error interrupt if it is set~~.

{| class="wikitable"

−

|~~+ Vector~~

+

! SHA-1

−

! ~~Index~~

+

| colspan="3"| e04f3abe93ca9b9a2518c2ddc3d273e43caed1f8

−

! ~~Name~~

+

|-

−

! ~~Direction~~

+

! Thing

+

! Virtual address

+

! Physical address

! Size

−

~~! Alignment~~

|-

−

| 0

+

| Code (and entry point)

−

| ~~Command~~

+

| 20200000

−

| In

+

| 139B0000

−

| ~~0x20~~

+

| 0x7D90

−

~~| 4~~

|-

−

| 1

+

| Data (ES vars)

−

~~| [[Ticket]]~~ (~~optional~~)

+

| 20208000

−

| In

+

| 139B8000

−

| ~~0x2a4 if present, not checked if absent (should be 0)~~

+

| 0x140

−

| 32

|-

−

| 2

+

| BSS (zero'd)

−

| ~~[[Certificate chain~~|~~Shared certs]] (optional)~~

+

| 20209000

−

| In

+

| 139B9000

−

| ~~Arbitrary if present, not checked if absent (should be 0)~~

+

| 0x2BDC4

−

| 32

+

|-

+

| Stack

+

| 2022cdc4

+

| ?

+

| 0x8000

|-

−

| 3

+

| Protected heap

−

| ~~[[TMD]]~~

+

| 20209020

−

| ~~Out~~

+

| ?

−

| ~~0x49e4~~

+

| 0x4000

−

~~| 32~~

|-

−

| 4

+

| Open heap

−

| ~~ES Error~~

+

| 13600000

−

| ~~Out~~

+

| ?

−

| ~~0x20 (of which only the first 4 bytes are used)~~

+

| 0x18000

−

~~| 4~~

|}

+

==== Apr 3 2012 12:00:16 2 ====

+

Wii U vWii variant of [[#Jul 24 2008 20:08:45|Jul 24 2008 20:08:45]], with the normal [[#vWii note|vWii changes]]. Used by [[IOS38]] exclusively. The only difference from the other build with the same timestamp is the main thread's priority (which was changed to 0x1b from 0x54). This difference appears in memory at address 20207c48 (offset 7d70) and in the ELF header at file offset 114. It's rather odd that the timestamp was not updated despite that change.

{| class="wikitable"

−

~~|+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| b62ad5ea5a2e03d2fb73e93dad1d34c102ec357a

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

! Thing

−

| u8

+

! Virtual address

−

| ~~Command~~ (~~0x8B~~)

+

! Physical address

+

! Size

+

|-

+

| Code (and entry point)

+

| 20200000

+

| 139B0000

+

| 0x7D90

+

|-

+

| Data (ES vars)

+

| 20208000

+

| 139B8000

+

| 0x140

|-

−

| 4

+

| BSS (zero'd)

−

| ~~off_t~~

+

| 20209000

−

| ~~Partition offset~~

+

| 139B9000

−

|~~- {{partial2}}~~

+

| 0x2BDC4

−

| 8

+

|-

−

| [[Ticket]]*

+

| Stack

−

| ~~Ticket~~

+

| 2022cdc4

−

|~~- {{partial2}}~~

+

| ?

−

| 12

+

| 0x8000

−

| ~~size_t~~

+

|-

−

| ~~Shared certs size~~

+

| Protected heap

−

|~~- {{partial2}}~~

+

| 20209020

−

| 16

+

| ?

−

| u8*

+

| 0x4000

−

~~| Shared certs~~

+

|-

−

|- ~~{{partial2}}~~

+

| Open heap

−

~~| 20~~

+

| 13600000

−

| [[TMD]]*

+

| ?

−

~~| tmd~~

+

| 0x18000

−

~~|- {{partial2}}~~

−

| 24

−

| u32*

−

| ~~ES error output~~

|}

−

=== ~~<s>0x90 DVDLowGetNoDiscOpenPartitionParams</s>~~ ===

+

==== Apr 3 2012 13:11:40 ====

−

~~Dummied out on all current IOS versions; always returns 0x80~~. ~~However, still usable as an Ioctl (which is probably unintended)~~. ~~System menu 4.3U (among other titles) still has a PPC-side implementation (815504c4) but this~~ is ~~not used (the higher-level function that calls it is gone~~ due to ~~not being referenced)~~.

+

Wii U vWii variant of [[#Jul 14 2008 19:32:38|Jul 14 2008 19:32:38]], with the normal [[#vWii note|vWii changes]]. Used by [[IOS28]] exclusively. The open heap is at 0x13800000 instead of 0x13600000, due to a 1-byte change at address 202007fc or offset 924.

{| class="wikitable"

−

|~~+ Vector~~

+

! MD5

−

! ~~Index~~

+

| colspan="3"| 1d1723825d53b5389ec80c89c8a3aa06701ae07d

−

! ~~Name~~

+

|-

−

! ~~Direction~~

+

! Thing

+

! Virtual address

+

! Physical address

! Size

−

~~! Alignment~~

|-

−

| 0

+

| Code (and entry point)

−

| ~~Command~~

+

| 20200000

−

| In

+

| 139B0000

−

| ~~0x20~~

+

| 0x7D90

−

~~| 4~~

|-

−

| 1

+

| Data (ES vars)

−

~~| [[TMD]] size pointer~~ (~~not used~~)

+

| 20208000

−

| In

+

| 139B8000

−

| 4

+

| 0x140

−

| ~~4 (32 on PPC side)~~

|-

−

| 2

+

| BSS (zero'd)

−

~~| [[Certificate chain|Shared certs]] size pointer~~ (~~not used~~)

+

| 20209000

−

| In

+

| 139B9000

−

| 4

+

| 0x2BDC4

−

| ~~4 (32 on PPC side)~~

|-

−

| 3

+

| Stack

−

| ~~[[Ticket]]~~

+

| 2022cdc4

−

| ~~Out~~

+

| ?

−

| ~~0x2A4~~

+

| 0x8000

−

~~| 32~~

|-

−

| 4

+

| Protected heap

−

| ~~TMD size pointer (again; aliases with previous pointer)~~

+

| 20209020

−

| ~~Out~~

+

| ?

−

| 4

+

| 0x4000

−

~~| 4 (32 on PPC side)~~

|-

−

| 5

+

| Open heap

−

| ~~[[TMD]]~~

+

| 0x13800000

−

| ~~Out~~

+

| ?

−

~~| TMD size, from before (i.e. *vector[4].data)~~

+

| 0x18000

−

~~| 32~~

+

|}

−

|-

−

~~| 6~~

−

~~| Shared certs size pointer (again; aliases with the previous pointer)~~

−

~~| Out~~

−

~~| 4~~

−

~~| 4 (32 on PPC side)~~

−

|-

−

~~| 7~~

−

~~| Shared certs~~

−

~~| Out~~

−

~~| Shared certs size, from before (i.e. *vector[6].data)~~

−

~~| 32~~

−

|-

−

~~| 8~~

−

~~| Partition data offset pointer~~

−

~~| Out~~

−

~~| 4~~

−

~~| 4 (32 on PPC side)~~

−

|-

−

~~| 9~~

−

~~| H3 hashes~~

−

~~| Out~~

−

| 0x18000

−

~~| 32~~

−

|}

−

~~After validating sizes and alignments, the params field of the command is set to a stack-allocated structure:~~

+

=== Group D ===

−

~~struct nodiscopenparams {~~

+

Adds [[#0x96 DVDLowGetControlRegister|0x96 DVDLowGetControlRegister]]. Note that although these versions are earlier than group C, they have more features.

−

~~undefined4 unused1;~~

+

−

~~ticket~~ * ~~ticket; // Set~~ to ~~vector[3]~~.~~data~~

+

diFatalError attempts to write 0xdeadbeef to 0xffff0000 before it calls CancelThread and enters an infinite loop. The message was also changed from "(diFatalError) Fatal error in DI driver: %s\nExiting\n" to "(diFatalError) *** DI FATAL ERROR: %s\nExiting\n". Something about this changed compiler or decompiler behavior, changing the way uses of that function affect code flow which makes some changes harder to spot and creates a lot of changes that aren't actually changes.

−

~~undefined4 unused2;~~

+

−

~~size_t tmdSize;~~ // ~~Set~~ to *vector[4].~~data~~

+

clearDriveErrorInterupt and doWaitForCoverClose were moved to be before handleDiCommand instead of after (group C has them at 2020146c/2020149c, and now they are at 20200b80/20200b98). Furthermore, clearDriveErrorInterupt no longer issues a 0xE0 command to the drive, and always returns success (however, the rest of the code still assumes it can fail, printing a warning in that case).

−

~~tmd * tmd; // Set~~ to ~~vector[5]~~.~~data~~

+

−

~~size_t sharedCertsSize; // Set~~ to *vector[6].~~data~~

+

Improved error messages in doBlockRead. The debug messages for when a hash failed now also print the first parameter as a pointer (e.g. "(doBlockRead) Data subblock %d failed to verify against H0 Hash (%08x)"). The fatal error message for the first case was changed from "Data failed to verify against H0 Hash" to "Data subblock failed to verify against H0 Hash" (the other messages of the form "H0 Hashes failed to verify" were not changed). Additionally, if the call to doRawDiskRead fails, the message "(doBlockRead) doRawDiskRead failed, rc=%d\n" is printed (previously nothing was printed); the return value is still that of doRawDiskRead in that case. Lastly, when a hash fails, the parameter is memset with value 0xA5 prior to calling diFatalError.

−

~~byte * sharedCerts~~; ~~// Set~~ to ~~vector[7]~~.~~data~~

+

−

~~off_t partitionDataOffset; // Set~~ to ~~partitionOffset + partition->dataOffset~~ after ~~working~~

+

The implementation of DVDLowRead no longer calls doReadHashEncryptedState if it hasn't been called before (before it checks if the disc is a secure disc). It never needed to anyways, as it is called after DVDLowReadDiskID, which *must* be called first. It was also moved to be before doNonConfirmingDiscRead and doReadHashEncryptedState (at 202029e8) instead of after them (at 20202950).

−

~~h3buffer~~ * ~~h3Hashes; // set~~ to ~~vector[9]~~.~~data~~

−

}

−

~~After executing at~~ a ~~lower level~~ (~~see~~ [[~~#0x90 DVDLowGetNoDiscOpenPartitionParams ioctl|§0x90 DVDLowGetNoDiscOpenPartitionParams ioctl~~]])~~, tmdSize, sharedCertsSize,~~ and ~~partitionDataOffset~~ are ~~written back to vectors 4, 6,~~ and ~~8 respectively~~. ~~(If an error occurs~~, ~~all three are instead set~~ to ~~0.)~~

+

doReadHashEncryptedState only considers a disc as secure (and only enables hashing) if both disable hashing (byte 0x60 of the [[Wii Disc]]) and disable encryption (byte 0x61) are false (and also acts as if hashing were disabled if encryption is disabled). Previously, only the hashing byte controlled whether the disc was secure and hashing was enabled.

−

~~{| class="wikitable"~~

+

The 0x18000-byte H3 hashes buffer is cleared by commonOpenPartition with value 0xA5 if a non-encrypted disc is used (disc encryption at byte 0x61 on the [[Wii Disc]] is 0 and the partition's H3 offset is also 0; disabling encryption but having an H3 offset set will result in a fatal error in both this version and earlier versions).

−

~~|+ Command~~

+

−

~~! Offset~~

+

Some more ES wrappers were added:

−

~~! Type~~

+

* 0x3E (at 2020525c)

−

~~! Name~~

+

* ES_GetV0TicketFromView (0x40, at 20205068)

−

|-

+

−

| 0

+

==== Jul 11 2008 14:34:27 ====

−

~~| u8~~

−

~~| Command (0x90~~)

−

|-

−

~~| 4~~

−

~~| off_t~~

−

~~| Partition position~~ (~~>> 2~~)

−

~~|- {{partial2}}~~

−

~~| 8~~

−

~~| nodiscopenparams~~*

−

~~| params~~

−

|}

−

~~=== <s>0x91 DVDLowNoDiscOpenPartition</s> ===~~

+

Used by several IOS builds:

−

~~Dummied out on~~ all ~~current IOS~~ versions~~; always returns 0x80. However, still usable as an Ioctl~~ (~~which is probably unintended~~).

+

* [[IOS37]] starting with v2816

+

* [[IOS50]] v4889 (v5120 is a stub)

+

* [[IOS51]] v4633 (v4864 is a stub)

+

* [[IOS52]] v5661 (v5888 is a stub)

+

* [[IOS53]] (all versions)

+

* [[IOS55]] (all versions)

−

~~Presumably, the ioctlv would have validated size and alignment~~, ~~and then filled in additional parameters on the command before passing it on~~ to the ~~shared logic that it is still accessible via the ioctlv. However, no PPC-side code exists so the exact ioctlv arguments are unknown~~.

+

Note that this also has a version string of <code>$IOSVersion: DIP: 07/11/08 14:34:26 64M $</code>, probably just due to the two timestamps being determined at separate instants.

{| class="wikitable"

−

~~|+ Vector~~

+

! SHA-1

−

! ~~Index~~

+

| colspan="3"| bff35f53a0ed9f69b15a224552fcc73372308099

−

~~! Name~~

−

~~! Direction~~

−

~~! Size~~

−

~~! Alignment~~

|-

−

~~| 0~~

+

! Thing

−

~~| Command~~

+

! Virtual address

−

~~| In~~

+

! Physical address

−

~~| 0x20~~

+

! Size

−

~~| 4~~

|-

−

| 1

+

| Code (and entry point)

−

| ~~[[Ticket]]~~

+

| 20200000

−

| In

+

| 139B0000

−

| ~~0x2a4~~

+

| 0x8088

−

~~| 32~~

|-

−

| 2

+

| Data (ES vars)

−

| ~~[[TMD]]~~

+

| 20209000

−

| In

+

| 139B9000

−

| ~~Not checked~~

+

| 0x140

−

~~| 32~~

|-

−

| 3

+

| BSS (zero'd)

−

| ~~[[Certificate chain~~|~~Shared certs]]~~

+

| 2020A000

−

| In

+

| 139BA000

−

| ~~Not checked~~

+

| 0x2BDC4

−

| 32

+

|-

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 2020a020

+

| ?

+

| 0x4000

|-

−

| 4

+

| Open heap

−

| ~~H3 hashes~~

+

| 13600000

−

| In

+

| ?

| 0x18000

−

~~| 32~~

−

|-

−

~~| 5~~

−

~~| ES Error~~

−

~~| Out~~

−

~~| 4 (properly sized, unlike with regular open partition)~~

−

~~| 4~~

|}

−

~~After validating sizes and alignments, the params field of the command is set to a stack-allocated structure~~:

+

==== Jul 24 2008 00:30:13 ====

−

~~struct nodiscopenparams {~~

+

Only found in [[IOS48]].

−

~~undefined4 unused1;~~

−

~~ticket * ticket; // Set to vector~~[~~1].data~~

−

~~undefined4 unused2;~~

−

~~size_t tmdSize; // Set to vector~~[2]~~.size~~

−

~~tmd * tmd; // Set to vector[2].data~~

−

~~size_t sharedCertsSize; // Set to vector[3].size~~

−

~~byte * sharedCerts; // Set to vector[3].data~~

−

~~off_t partitionDataOffset; // Set by command~~

−

~~h3buffer * h3Hashes; // set to vector[4~~].~~data~~

−

}

+

Identical to the Jul 11 2008 14:34:27 build apart from the priority of the main thread being set to 0x1b instead of 0x54 (all versions other than this and Jul 24 2008 20:08:45 use 0x54). This results in byte differences at address 20207f40 (file offset 8068), as well as in some ELF header area (file offset 114), and the timestamps.

{| class="wikitable"

−

~~|+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| 0fc5a88a327ee2b5c4ce3dc05faf8c7ef3bbcc1b

−

~~! Type~~

−

~~! Name~~

|-

−

~~| 0~~

+

! Thing

−

~~| u8~~

+

! Virtual address

−

~~| Command (0x91)~~

+

! Physical address

+

! Size

|-

−

| 4

+

| Code (and entry point)

−

~~| off_t~~

+

| 20200000

−

~~| Partition data offset~~

+

| 139B0000

−

~~|- {{partial2}}~~

+

| 0x8088

−

~~| 4~~

−

| nodiscopenparams*

−

~~| params~~

−

~~|- {{partial2}}~~

−

~~| 8~~

−

| u32 *

−

~~| ES error output~~ (~~vector[5].data~~)

−

|}

−

~~=== <s>0x92 DVDLowGetNoDiscBufferSizes</s> ===~~

−

~~Dummied out on all current IOS versions; always returns 0x80. However, still usable as an Ioctl (which is probably unintended).~~ System menu 4.3U (among other titles) still has a PPC-side implementation (815502b8) but this is not used (the higher-level function that calls it is gone due to not being referenced). This does allow determination of the inputs, though:

−

{| ~~class="wikitable"~~

−

|~~+ Vector~~

−

~~! Index~~

−

~~! Name~~

−

~~! Direction~~

−

~~! Size~~

−

~~! Alignment~~

|-

−

| 0

+

| Data (ES vars)

−

| ~~Command~~

+

| 20209000

−

| In

+

| 139B9000

−

| ~~0x20~~

+

| 0x140

−

| 4

+

|-

+

| BSS (zero'd)

+

| 2020A000

+

| 139BA000

+

| 0x2BDC4

+

|-

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

|-

−

| 1

+

| Protected heap

−

| ~~[[TMD]] size pointer~~

+

| 2020a020

−

| ~~Out~~

+

| ?

−

| 4

+

| 0x4000

−

~~| 4 (32 on ppc side)~~

|-

−

| 2

+

| Open heap

−

| ~~[[Certificate chain|Shared certs]] size pointer~~

+

| 13600000

−

~~| Out~~

+

| ?

−

| 4

+

| 0x18000

−

| ~~4 (32 on ppc side)~~

|}

−

~~Both pointers must be non-zero~~. ~~The ioctlv fills in additional parameters on~~ the ~~command~~.

+

==== Dec 24 2008 13:51:06 ====

+

Used in all versions of [[IOS41]], [[IOS43]], [[IOS45]], and [[IOS46]].

+

Rebuild with no changes (other than the timestamps) of Jul 11 2008 14:34:27.

{| class="wikitable"

−

|~~+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| d254a265d25d96723a566e6f877f5df05a645699

−

! ~~Type~~

+

|-

−

! ~~Name~~

+

! Thing

+

! Virtual address

+

! Physical address

+

! Size

|-

−

| 0

+

| Code (and entry point)

−

| u8

+

| 20200000

−

| ~~Command (0x92)~~

+

| 139B0000

+

| 0x8088

|-

−

| 4

+

| Data (ES vars)

−

| ~~off_t~~

+

| 20209000

−

| ~~Partition position~~ (~~>> 2~~)

+

| 139B9000

−

|- ~~{{partial2}}~~

+

| 0x140

−

| 8

+

|-

−

| u32 *

+

| BSS (zero'd)

−

| ~~TMD Size out~~

+

| 2020A000

−

|- ~~{{partial2}}~~

+

| 139BA000

−

| 12

+

| 0x2BDC4

−

| u32 *

+

|-

−

| ~~Cert Chain Size Out~~

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 2020a020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

|}

−

=== ~~0x93 DVDLowOpenPartitionWithTmdAndTicket~~ ===

+

==== Apr 3 2012 12:21:34 ====

−

~~Opens a partition, including verifying it through~~ [[:~~/dev/es~~]] (the ~~resulting~~ [[~~:/dev/es~~#~~Error_codes~~|~~error code~~]] ~~will be written to the specified location, even if it is 0)~~. ~~DVDLowReadDiskID needs to have been called beforehand. This function takes an already-read TMD~~ and ~~can take an already-read ticket, which means it can be faster since the ticket does not need to be read from the disc~~.

+

Wii U vWii variant of [[#Jul 14 2008 19:32:38|Jul 14 2008 19:32:38]], with the normal [[#vWii note|vWii changes]]. Used by [[IOS37]], [[IOS53]], and [[IOS55]].

−

Returns 0x80 if DVDLowReadDiskID has not been called, or a partition is already open, 0x20 if allocations fail or the partition does not pass some DI security checks (valid cert offset, valid tmd offset, presence of hashes), and 0x40 for an ES error.

+

{| class="wikitable"

−

+

! SHA-1

−

~~This command will clear the error interrupt if it is set.~~

+

| colspan="3"| e7a0824785268df455d56c1803620eff180d6556

−

+

|-

−

{| class="wikitable"

+

! Thing

−

|~~+ Vector~~

+

! Virtual address

−

! ~~Index~~

+

! Physical address

−

! ~~Name~~

−

! ~~Direction~~

! Size

−

~~! Alignment~~

|-

−

| 0

+

| Code (and entry point)

−

| ~~Command~~

+

| 20200000

−

| In

+

| 139B0000

−

| ~~0x20~~

+

| 0x80A4

−

~~| 4~~

|-

−

| 1

+

| Data (ES vars)

−

~~| [[Ticket]]~~ (~~optional~~)

+

| 20209000

−

| In

+

| 139B9000

−

| ~~0x2a4 if present, not checked if absent (should be 0)~~

+

| 0x140

−

| 32

|-

−

| 2

+

| BSS (zero'd)

−

| ~~[[TMD]] (required)~~

+

| 2020A000

−

| In

+

| 139BA000

−

| ~~Arbitrary~~

+

| 0x2BDC4

−

| 32

+

|-

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

|-

−

| 3

+

| Protected heap

−

| ~~[[Certificate chain|Shared certs]] (optional)~~

+

| 2020a020

−

~~| In~~

+

| ?

−

| ~~Arbitrary~~

+

| 0x4000

−

| 32

|-

−

| 4

+

| Open heap

−

| ~~ES Error~~

+

| 13600000

−

| ~~Out~~

+

| ?

−

| ~~0x20~~ (~~of which~~ only the ~~first 4 bytes are used~~)

+

| 0x18000

−

~~| 4~~

+

|}

−

|}

+

==== Apr 3 2012 12:31:01 ====

+

Wii U vWii variant of [[#Jul 14 2008 19:32:38|Jul 14 2008 19:32:38]], with the normal [[#vWii note|vWii changes]]. Used by [[IOS41]], [[IOS43]], [[IOS45]], [[IOS46]], and [[IOS48]] (the original version was only used by IOS48, with the rest using [[#Dec 24 2008 13:51:06|Dec 24 2008 13:51:06]]). The main thread has priority 0x1b instead of 0x54, resulting in byte differences at address 20207f5c (offset 8084) and in the ELF header (offset 114), as well as the timestamps. Was the priority change for versions other than IOS48 intentional, with the other modules being updated to compensate{{check}}?

{| class="wikitable"

−

|~~+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| 8835422c143de4b359fea4a0a56aef9386caa53d

−

! ~~Type~~

+

|-

−

! ~~Name~~

+

! Thing

+

! Virtual address

+

! Physical address

+

! Size

|-

−

| 0

+

| Code (and entry point)

−

| u8

+

| 20200000

−

| ~~Command (0x93)~~

+

| 139B0000

+

| 0x80A4

|-

−

| 4

+

| Data (ES vars)

−

| ~~off_t~~

+

| 20209000

−

| ~~Partition offset~~

+

| 139B9000

−

|- ~~{{partial2}}~~

+

| 0x140

−

| 4

+

|-

−

| runopenpartparam*

+

| BSS (zero'd)

−

| ~~params~~

+

| 2020A000

−

|- ~~{{partial2}}~~

+

| 139BA000

−

| 8

+

| 0x2BDC4

−

| u32 *

+

|-

−

| ~~ES error output~~

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 2020a020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

|}

−

~~After running, the first argument is a pointer to a (stack-allocated) structure used by this and 0x94:~~

+

=== Group E ===

−

~~struct runopenpartparam {~~

+

The code that checks H0/H1/H2 hashes was moved into the kernel, using [[IOS/Syscalls|syscall]] 0x77 (IOSC_CheckDiHashes). H3 hashes are still present. It's not clear if the actual hashing behavior changed{{check}}.

−

~~off_t position;~~

+

−

~~ticket * ticket;~~ // ~~Only used by 0x93~~

+

Wrappers for ES IoctlVs 0x41 (at 20205ba4 in 2008 and 20205c58 in 2009 and 2012) and 0x42 (at 20205b44 in 2008 and 20205bf8 in 2009 and 2012) were added.

−

~~ticketview * ticketview;~~ /~~/ Only used by 0x94~~

−

~~size_t tmdSize;~~

−

~~tmd * tmd;~~

−

~~size_t sharedCertsSize;~~

−

~~u8 * sharedCerts;~~

−

}

−

~~=== 0x94 DVDLowOpenPartitionWithTmdAndTicketView ===~~

+

Instructions for syscalls 0x77, 0x78, and 0x79 were added, though only 0x77 is used. Note that these are out of order; 0x77 is at the end of the list at 202042d0 while 0x78 and 0x79 are wedged between 0x5a and 0x5b at 202041e0 for some reason.

−

~~Opens a partition, including verifying it through [[~~:~~/dev/es]] (the resulting [[~~:/dev/es#Error_codes|error code]] will be written to the specified location, even if it is 0). DVDLowReadDiskID needs to have been called beforehand. This function takes an already-read TMD and can take an already-read ticket ticket view, which means it can be faster since the ticket does not need to be read from the disc.

+

==== Nov 24 2008 15:39:09 ====

−

~~Returns 0x80 if DVDLowReadDiskID has not been called, or a partition is already open, 0x20 if allocations fail or~~ the ~~partition does not pass some DI security checks (valid cert offset, valid tmd offset, presence~~ of ~~hashes), and 0x40 for an ES error.~~

+

Used in the first builds of a few IOS versions:

−

~~This command will clear the error interrupt if it~~ is ~~set.~~

+

* [[IOS56]] v4890 only

+

* [[IOS57]] v5404 only

+

* [[IOS60]] v6174 only (other version is a stub)

+

* [[IOS61]] v4890 only

{| class="wikitable"

−

|~~+ Vector~~

+

! SHA-1

−

! ~~Index~~

+

| colspan="3"| 96b035dafcfaf826d1772abd07b8014aed15035f

−

! ~~Name~~

+

|-

−

! ~~Direction~~

+

! Thing

+

! Virtual address

+

! Physical address

! Size

−

~~! Alignment~~

|-

−

| 0

+

| Code (and entry point)

−

| ~~Command~~

+

| 20200000

−

| In

+

| 139B0000

−

| ~~0x20~~

+

| 0x7F00

−

~~| 4~~

|-

−

| 1

+

| Data (ES vars)

−

~~| Ticket View~~ (~~optional~~)

+

| 20208000

−

| In

+

| 139B8000

−

| ~~0x98 if present, not checked if absent (should be 0)~~

+

| 0x140

−

| 32

|-

−

| 2

+

| BSS (zero'd)

−

~~| [[TMD]]~~ (~~required~~)

+

| 20209000

−

| In

+

| 139B9000

−

| ~~Arbitrary~~

+

| 0x2BDC4

−

| 32

|-

−

| 3

+

| Stack

−

| ~~[[Certificate chain~~|~~Shared certs]] (optional)~~

+

| 2022cdc4

−

| In

+

| ?

−

| ~~Arbitrary~~

+

| 0x8000

−

| 32

+

|-

+

| Protected heap

+

| 20209020

+

| ?

+

| 0x4000

|-

−

| 4

+

| Open heap

−

| ~~ES Error~~

+

| 13600000

−

| ~~Out~~

+

| ?

−

| ~~0x20 (of which only the first 4 bytes are used)~~

+

| 0x18000

−

~~| 4~~

|}

+

==== Apr 6 2009 17:10:07 ====

+

Used exclusively by [[IOS56]] v5146, which is not found on NUS (but can be found on e.g. Guitar Hero 5).

+

No changes to the actual driver code from the Nov 24 2008 version, but some of the ES wrapper code changed. These also cause string constants to shift, which makes byte comparisons slightly annoying. The changes:

+

* ES_AddTicket (20204514, Ioctlv 0x01) no longer always uses a size of 0x2a4, but will instead use 0x2a4 plus a 32-bit size at offset 0x2a8 if the byte at offset 0x1bc is nonzero.

+

* ES_GetTicketFromView (20204fc0, Ioctlvs 0x43 and 0x44) was added

{| class="wikitable"

−

~~|+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| 9a915fd77389a79c7fa516e4aac4e30e4e1174ad

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

! Thing

−

| u8

+

! Virtual address

−

| ~~Command~~ (~~0x94~~)

+

! Physical address

+

! Size

+

|-

+

| Code (and entry point)

+

| 20200000

+

| 139B0000

+

| 0x7FB4

+

|-

+

| Data (ES vars)

+

| 20208000

+

| 139B8000

+

| 0x140

|-

−

| 4

+

| BSS (zero'd)

−

| ~~off_t~~

+

| 20209000

−

| ~~Partition offset~~

+

| 139B9000

−

|- ~~{{partial2}}~~

+

| 0x2BDC4

−

| 4

+

|-

−

| runopenpartparam*

+

| Stack

−

| ~~params (see above)~~

+

| 2022cdc4

−

|- ~~{{partial2}}~~

+

| ?

−

| 8

+

| 0x8000

−

| u32 *

+

|-

−

| ~~ES error output~~

+

| Protected heap

+

| 20209020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

|}

−

== ~~Ioctls~~ ==

+

==== Jun 3 2009 07:49:09 ====

+

Used in several IOS versions, and also updated versions of builds that used the Nov 24 2008 version.

−

~~Using a number not listed here results~~ in a ~~return value of 0x80. The input buffer must be sized 0x20 (except for command 0x8E~~)~~. Unless otherwise noted, commands return 1 on success.~~

+

* [[IOS56]] starting with v5405

+

* [[IOS57]] starting with v5661

+

* [[IOS58]] in all versions

+

* [[IOS59]] in all versions

+

* [[IOS61]] starting with v5405

+

* [[IOS70]] v6687 (v6912 is a stub)

+

* [[IOS80]] in all versions

−

~~Ioctls are implemented in two functions: DiIoctl and handleDiCommand~~. ~~handleDiCommand is actually~~ also ~~used by IoctlV as well, and other than for DVDLowOpenPartition~~, ~~IoctlV commands are accidentally exposed as Ioctls as well~~. The ~~following commands are implemented in DiIoctl~~:

+

No changes to the actual driver code from the Nov 24 2008 version, but some of the ES wrapper code changed. These also cause string constants to shift, which makes byte comparisons slightly annoying. The changes:

−

~~{{collapse|title=Commands implemented in DiIoctl|text=~~

+

* Ioctlv 0x45 (20205cb8) was added

−

~~<ul>~~

−

~~<li>0x79 DVDLowWaitForCoverClose</li>~~

−

~~<li>0x7A DVDLowGetCoverRegister</li>~~

−

~~<li>0x83 DVDLowGetLength</li>~~

−

~~<li>0x84 Get DIIMMBUF</li>~~

−

~~<li>0x85 DVDLowUnmaskCoverInterrupt</li>~~

−

~~<li>0x86 DVDLowClearCoverInterrupt</li>~~

−

~~<li>0x87</li>~~

−

~~<li>0x88 DVDLowGetCoverStatus</li>~~

−

~~<li>0x89 Enable Cover Interrupt</li>~~

−

~~<li>0x8B DVDLowOpenPartition ioctl</li>~~

−

~~<li>0x8E DVDLowEnableDvdVideo</li>~~

−

~~<li>0x95 DVDLowGetStatusRegister</li>~~

−

~~<li>0x96 DVDLowGetControlRegister</li>~~

−

~~</ul>~~

−

}}

−

~~Commands will clear the error interrupt by writing bit 2 of DISR if it is set after execution.~~ ~~Furthermore, the same check happens before execution, but this should generally not happen barring other code directly writing to the DI registers~~ (~~a warning is logged in this case~~). ~~These checks happen in handleDiCommand, so commands implemented in DiIoctl are not affected; additionally the second check is skipped for 0x8A DVDLowReset and 0xE0 DVDLowRequestError.~~ ~~In some versions, the second check will also issue a request error command to the drive~~ (~~which, as a side effect, clears the error in the drive itself, which would break a second DVDLowRequestError — that explains why it is skipped~~).

+

{| class="wikitable"

−

+

! SHA-1

−

~~If an output buffer size check fails, DIMAR and DILENGTH will not be written, and there is code that sets the return value to 0x20.~~ ~~However, the driver still attempts to start the transfer, which will fail due to not writing DILENGTH~~ (~~which should have counted back down 0 after any previous successful transfer{{check}}~~)~~; this will result in an eventual timeout and returning of 0x10{{check}}. <!~~-- ~~This seems completely wack, but it seems to be how the code works... -~~->

+

| colspan="3"| 4e04e88ec7250de84a1e788ae69fdad9351330a8

−

+

|-

−

~~=== 0x12 DVDLowInquiry ===~~

+

! Thing

−

+

! Virtual address

−

~~Retrieves information about the drive verison; see [http://hitmen.c02.at/files/yagcd/yagcd/chap5.html#sec5.7.3.1 yagcd §5.7.3.1] for more info.~~

+

! Physical address

−

+

! Size

−

~~The output buffer size must be ≥ 0x20, or DIMAR and DILENGTH will not be written.~~ ~~It must also be 32-bit aligned, or else the driver will hang.~~

+

|-

+

| Code (and entry point)

+

| 20200000

+

| 139B0000

+

| 0x7FF0

+

|-

+

| Data (ES vars)

+

| 20208000

+

| 139B8000

+

| 0x140

+

|-

+

| BSS (zero'd)

+

| 20209000

+

| 139B9000

+

| 0x2BDC4

+

|-

+

| Stack

+

| 2022cdc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 20209020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

+

|}

−

~~Note that YAGCD is incorrect and there is actually one additional byte after the drive date, [https~~:~~//web.archive.org/web/20070602090342/http~~:~~//www.crazynation.org/GC/GC_DD_TECH/GCTech.htm apparently] indicating the version. This is not new to the Wii.~~

+

==== Feb 27 2012 14:39:56 ====

−

~~DICMDBUF0 = 0x12000000~~

+

Used exclusively by [[IOS62]]. The wrappers for ES IoctlVs 0x41 and 0x42 were changed slightly, both requiring that the second parameter is not greater than 0x14 instead of 0x13. This results in differences at addresses 20205c16 (0x42) and 20205c76 (0x41) (file offsets 5d30 and 5d9e), in addition to the timestamp change.

−

~~DILENGTH = 0x20~~

−

~~DIMAR = outbuf~~

−

~~DICMDBUF1 = 0~~

−

~~DICR = TSTART | DMA~~

{| class="wikitable"

−

|~~+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| d5dfeb42909a20453c0f574e9a8c41f50792bf8f

−

! ~~Type~~

+

|-

−

! ~~Name~~

+

! Thing

+

! Virtual address

+

! Physical address

+

! Size

+

|-

+

| Code (and entry point)

+

| 20200000

+

| 139B0000

+

| 0x7FF0

|-

−

| 0

+

| Data (ES vars)

−

| u8

+

| 20208000

−

| ~~Command~~ (~~0x12~~)

+

| 139B8000

−

|}

+

| 0x140

−

+

|-

−

~~=== 0x70 DVDLowReadDiskID ===~~

+

| BSS (zero'd)

−

+

| 20209000

−

~~Reads the current disc ID and initializes the drive.~~ ~~Many other commands will not work before this (either by explicitly checking, or due to the drive returning error 0x05xxxxxx).~~

+

| 139B9000

−

+

| 0x2BDC4

−

~~This command cannot be used while the drive interface is resetting (if [[IOS/Syscalls~~|~~syscall]] 0x46 syscall_check_di_reset returns true); in which case it will return 0x80.~~ ~~0x80 will also be returned if the output buffer is not 32~~-~~byte aligned.~~

+

|-

+

| Stack

+

| 2022cdc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 20209020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

+

|}

+

==== Apr 2 2012 14:03:54 ====

−

~~The output buffer size must be ≥ 0x20~~, ~~or DIMAR~~ and ~~DILENGTH will not be written~~.

+

Wii U vWii variant of [[#Jun 3 2009 07:49:09|Jun 3 2009 07:49:09]], with the normal [[#vWii note|vWii changes]]. Also has the changes to 0x41 and 0x42 from [[#Feb 27 2012 14:39:56|Feb 27 2012 14:39:56]]. Used by [[IOS56]], [[IOS57]], [[IOS58]], and [[IOS80]].

−

~~DICMDBUF0 = 0xA8000040~~

+

{| class="wikitable"

−

~~DICMDBUF1~~ = 0

+

! SHA-1

−

~~DICMDBUF2 = 0x20~~

+

| colspan="3"| 43cbc9d451df6296214347f8a33349b2dda843f0

−

~~DILENGTH = 0x20~~

+

|-

−

~~DIMAR = dest~~

+

! Thing

−

~~DICR = TSTART | DMA~~

+

! Virtual address

−

+

! Physical address

−

{| ~~class="wikitable"~~

+

! Size

−

|~~+ Command~~

+

|-

−

~~! Offset~~

+

| Code (and entry point)

−

~~! Type~~

+

| 20200000

−

~~! Name~~

+

| 139B0000

+

| 0x800C

|-

−

| 0

+

| Data (ES vars)

−

| u8

+

| 20209000

−

| ~~Command~~ (~~0x70~~)

+

| 139B9000

−

|}

+

| 0x140

−

+

|-

−

After this command has finished reading, the driver will also look at the 4 bytes at offset 0x18 in the output (i.e. outbuf[6] if outbuf is a u32 array) for the Wii magicword 0x5D1C9EA3 to determine if it is a [[Wii Disc|~~Wii disc]].~~ ~~If it is a Wii disc, and it has not already read it, it will read 0x44 (padded to 0x60) bytes starting at byte 0x20 (i.e. the game title, and the disable hashing and disable encryption flags).~~ ~~Thus, after the first call, DVDLowGetLength will return 0x60, and on later calls it will return 0x20.~~

+

| BSS (zero'd)

−

+

| 2020A000

−

~~=== 0x71 DVDLowRead ===~~

+

| 139BA000

+

| 0x2BDC4

+

|-

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 2020a020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

+

|}

−

~~Reads and decrypts disc data.~~ ~~This command can only be used if hashing and encryption are enabled for the disc. DVDLowOpenPartition needs to have been called before for the keys to be read.~~

+

==== Apr 3 2012 12:50:03 ====

−

~~The output buffer has no requirements on alignment, but will perform better if 32-byte aligned since it can avoid a copy from a buffer within the driver.~~ ~~Similarly~~, the ~~offset and size can be any value, but ones that are sector-aligned~~ (~~sizes that are multiples of 0x7C00~~ and ~~offsets that are multiples of 0x1F00~~) ~~avoid copies for~~ the ~~first and/or last sector that needs~~ to ~~be read~~ and ~~decrypted~~. ~~Each individual sector is read using command 0xA8.~~

+

A second Wii U vWii variant of [[#Jun 3 2009 07:49:09|Jun 3 2009 07:49:09]], with the normal [[#vWii note|vWii changes]] (and no other changes other than the timestamp). Also has the changes to 0x41 and 0x42 from [[#Feb 27 2012 14:39:56|Feb 27 2012 14:39:56]]. Used exclusively by the three versions of [[IOS59]].

−

~~This command immediately returns 0x20 if~~ the ~~buffer is too small, and also returns 0x20 if something went wrong with decryption or hashing and 2 for a drive error.~~

−

~~If everything completed successfully, the last length value used by DVDLowGetLength is set to offset (almost certainly a mistake on Nintendo's end). Otherwise, it is set to 0~~.

{| class="wikitable"

−

|~~+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| e961f817c53ad3d87af96635df99bc6ee70ed056

−

! ~~Type~~

+

|-

−

! ~~Name~~

+

! Thing

+

! Virtual address

+

! Physical address

+

! Size

+

|-

+

| Code (and entry point)

+

| 20200000

+

| 139B0000

+

| 0x800C

|-

−

| 0

+

| Data (ES vars)

−

| u8

+

| 20209000

−

| ~~Command (0x71)~~

+

| 139B9000

+

| 0x140

|-

−

| 4

+

| BSS (zero'd)

−

| ~~size_t~~

+

| 2020A000

−

| ~~Size (bytes)~~

+

| 139BA000

+

| 0x2BDC4

|-

−

| 8

+

| Stack

−

| ~~off_t~~

+

| 2022ddc4

−

| ~~Offset (bytes >> 2)~~

+

| ?

−

|}

+

| 0x8000

−

+

|-

−

~~=== 0x79 DVDLowWaitForCoverClose ===~~

+

| Protected heap

−

+

| 2020a020

−

~~Waits for a disc to be inserted; if there is already a disc inserted, it must be removed first.~~ This command does not time out; if no disc is inserted, it will wait forever. (As such, I'm not entirely sure how it can be cancelled; I assume but have not checked that the Wii Fit Channel uses this when waiting for the Wii Fit disc to be inserted, but that can be canceled...)

+

| ?

−

+

| 0x4000

−

Continuously waits for a DI interrupt, and when it receives one it checks for the cover interrupt (bit 2 of DICVR); if it is set it then checks if the cover is closed (bit 0 of DICVR) and if sufficient time has ellapsed. ~~It also clears the TC and error interrupts should they occur.~~

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

+

|}

−

~~The output buffer is not used, and it may be null.~~ ~~Its size is not checked.~~

+

==== Apr 3 2012 13:00:48 ====

−

~~On completion~~, ~~returns 0x4~~.

+

Wii U vWii variant of [[#Feb 27 2012 14:39:56|Feb 27 2012 14:39:56]], with the normal [[#vWii note|vWii changes]] (and no other changes other than the timestamp, though to be clear it does have the changed 0x41 and 0x42). Used exclusively by the three versions of [[IOS62]].

{| class="wikitable"

−

~~|+ Command~~

+

! SHA-1

−

! ~~Offset~~

+

| colspan="3"| 86bec5ad6815c2bf1f154690f2abd0e6141f0f8b

−

~~! Type~~

−

~~! Name~~

|-

−

~~| 0~~

+

! Thing

−

~~| u8~~

+

! Virtual address

−

~~| Command (0x79)~~

+

! Physical address

−

|}

+

! Size

−

~~=== 0x7A DVDLowGetCoverRegister ===~~

−

Stores the current value of DICVR into outbuf, which must be at least 4 bytes in size (or else 0x20 is returned). Note that Nintendo titles also refer to this as DVDLowPrepareCoverRegister, but that function simply asynchronously reads it into game memory so that it can be accessed by a separate function later. (A similar name pattern is found for the other get-reg commands.)

−

~~{| class="wikitable"~~

−

~~|+ Command~~

−

! ~~Offset~~

−

! ~~Type~~

−

! ~~Name~~

|-

−

| 0

+

| Code (and entry point)

−

~~| u8~~

+

| 20200000

−

~~| Command~~ (~~0x7A~~)

+

| 139B0000

−

|}

+

| 0x800C

−

~~=== 0x7E DVDLowNotifyReset ===~~

−

Resets internal flags, closes the open partition (if there is one), clears the transfer complete interrupt and drive error interrupt, enables the transfer complete interrupt and error interrupt, and disables the cover interrupt.

−

{| ~~class="wikitable"~~

−

|~~+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| Data (ES vars)

−

| u8

+

| 20209000

−

| ~~Command~~ (~~0x7E~~)

+

| 139B9000

+

| 0x140

+

|-

+

| BSS (zero'd)

+

| 2020A000

+

| 139BA000

+

| 0x2BDC4

+

|-

+

| Stack

+

| 2022ddc4

+

| ?

+

| 0x8000

+

|-

+

| Protected heap

+

| 2020a020

+

| ?

+

| 0x4000

+

|-

+

| Open heap

+

| 13600000

+

| ?

+

| 0x18000

|}

−

==~~= <s>0x7F DVDLowSetSpinupFlag</s> =~~==

+

== IoctlVs ==

−

~~Prints the message "(handleDiCommand) DI_SET_SPINUP_FLAG_CMD should have been executed~~ in ~~the PPC shim layer only" and returns~~ 0x80.

+

An incorrect size or alignment, or an incorrect in count or out count, will result in a return value of 0x80. Commands not listed here will cause a hang.

−

~~The PPC-side simply stores~~ a ~~boolean which~~ is ~~later~~ used as the ~~parameter~~ to ~~DVDLowReset~~. ~~For~~ some ~~reason, Nintendo decided to give it an ioctl number as well, even though it didn't need one~~.

+

IoctlVs and Ioctls both go to one shared function that actually handles them which takes a diCommand; IoctlV is used when there are multiple pointers being passed to simplify conversion from virtual to physical addresses (which happens on the PPC side in both Nintendo's and libogc's IoctlV function). The IoctlVs will modify the passed diCommand to have additional parameters, noted in yellow. This means that in some cases the Ioctl can be used directly.

−

~~{| class~~=~~"wikitable"~~

+

=== 0x8B DVDLowOpenPartition ===

−

~~|+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

−

|-

−

~~| 0~~

−

~~| u8~~

−

~~| Command (0x7F)~~

−

|}

−

~~=== 0x80 DVDLowReadDvdPhysical ===~~

+

Opens a partition, including verifying it through [[:/dev/es]] (the resulting [[:/dev/es#Error_codes|error code]] will be written to the specified location, even if it is 0). DVDLowReadDiskID needs to have been called beforehand.

−

~~Probably related to DVD-Video{{check}}~~.

+

Returns 0x80 if DVDLowReadDiskID has not been called, or a partition is already open, 0x20 if allocations fail or the partition does not pass some DI security checks (valid cert offset, valid tmd offset, presence of hashes, presense of tmd), and 0x40 for an ES error.

−

~~The output buffer size must be ≥ 0x800, or DIMAR and DILENGTH~~ will ~~not be written. The output buffer also needs to be 32-byte aligned, or else~~ the ~~driver will hang~~.

+

This command will clear the error interrupt if it is set.

−

~~DICMDBUF0 = 0xAD000000 | (position << 8) // AD00XX00~~

−

~~DICMDBUF1 = 0~~

−

~~DICMDBUF2 = 0~~

−

~~DILENGTH = 0x800~~

−

~~DIMAR = dest~~

−

~~DICR = TSTART | DMA~~

{| class="wikitable"

−

|+ ~~Command~~

+

|+ Vector

−

! ~~Offset~~

+

! Index

−

~~! Type~~

! Name

+

! Direction

+

! Size

+

! Alignment

|-

| 0

−

| u8

+

| Command

−

| ~~Command~~ (~~0x80~~)

+

| In

+

| 0x20

+

| 4

+

|-

+

| 1

+

| [[Ticket]] (optional)

+

| In

+

| 0x2a4 if present, not checked if absent (should be 0)

+

| 32

|-

−

| 7

+

| 2

−

| u8

+

| [[Certificate chain|Shared certs]] (optional)

−

| ~~Position~~(?)

+

| In

−

|}

+

| Arbitrary if present, not checked if absent (should be 0)

−

+

| 32

−

~~=== 0x81 DVDLowReadDvdCopyright ===~~

+

|-

−

+

| 3

−

~~Probably related to DVD-Video{{check}}.~~

+

| [[TMD]]

−

+

| Out

−

~~DICMDBUF0 = 0xAD010000~~ | ~~(position << 8) // AD01XX00~~

+

| 0x49e4

−

~~DICMDBUF1 = 0~~

+

| 32

−

~~DICMDBUF2 = 0~~

+

|-

−

~~DICR = TSTART~~

+

| 4

−

+

| ES Error

−

~~The contents~~ of ~~DIIMMBUF (u32~~) ~~are written to the output buffer.~~ ~~The output buffer size is not checked, but~~ 4 ~~would be a sane value.~~

+

| Out

+

| 0x20 (of which only the first 4 bytes are used)

+

| 4

+

|}

{| class="wikitable"

Line 1,472: Line 1,521:

| 0

| u8

−

| Command (~~0x81~~)

+

| Command (0x8B)

|-

−

| 7

+

| 4

−

| u8

+

| off_t

−

| ~~Position(?)~~

+

| Partition offset

−

|}

+

|- {{partial2}}

+

| 8

+

| [[Ticket]]*

+

| Ticket

+

|- {{partial2}}

+

| 12

+

| size_t

+

| Shared certs size

+

|- {{partial2}}

+

| 16

+

| u8*

+

| Shared certs

+

|- {{partial2}}

+

| 20

+

| [[TMD]]*

+

| tmd

+

|- {{partial2}}

+

| 24

+

| u32*

+

| ES error output

+

|}

−

=== ~~0x82 DVDLowReadDvdDiscKey~~ ===

+

=== <s>0x90 DVDLowGetNoDiscOpenPartitionParams</s> ===

−

~~Probably related~~ to ~~DVD-Video{{check}}~~.

+

Dummied out on all current IOS versions; always returns 0x80. However, still usable as an Ioctl (which is probably unintended). System menu 4.3U (among other titles) still has a PPC-side implementation (815504c4) but this is not used (the higher-level function that calls it is gone due to not being referenced). The only version that has an implementation of it is [[#Jun 8 2007 18:17:09|Jun 8 2007 18:17:09]], which is no longer used by any IOS version.

−

~~The output buffer size must be ≥ 0x800, or DIMAR and DILENGTH will not be written. The output buffer also needs to be 32-byte aligned, or else the driver will hang.~~

+

{| class="wikitable"

−

+

|+ Vector

−

~~DICMDBUF0 = 0xAD020000 | (position << 8) // AD02XX00~~

+

! Index

−

~~DICMDBUF1 = 0~~

+

! Name

−

~~DICMDBUF2 = 0~~

+

! Direction

−

~~DILENGTH = 0x800~~

+

! Size

−

~~DIMAR = dest~~

+

! Alignment

−

~~DICR = TSTART | DMA~~

−

{| class="wikitable"

−

|+ ~~Command~~

−

! ~~Offset~~

−

! ~~Type~~

−

! ~~Name~~

|-

| 0

−

| u8

+

| Command

−

| ~~Command (0x82)~~

+

| In

+

| 0x20

+

| 4

|-

−

| 7

+

| 1

−

| u8

+

| [[TMD]] size pointer (not used)

−

| ~~Position(?)~~

+

| In

−

|}

+

| 4

−

+

| 4 (32 on PPC side)

−

~~=== 0x83 DVDLowGetLength ===~~

−

~~Stores the last DILENGTH value into outbuf, which must be at least~~ 4 ~~bytes in size~~ (~~or else 0x20 is returned). Note that this doesn't directly read DILENGTH, but rather a separate value that is set when DILENGTH is set (and zero'd if a read error occurs~~ on ~~a command that uses DILENGTH; this means that this command cannot be used to get the amount of data still left to be transfered when the error happened~~).

−

~~{| class="wikitable"~~

−

~~|+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| 2

−

| u8

+

| [[Certificate chain|Shared certs]] size pointer (not used)

−

| ~~Command~~ (~~0x83~~)

+

| In

−

|}

+

| 4

−

+

| 4 (32 on PPC side)

−

~~=== 0x84 Get DIIMMBUF ===~~

−

~~Stores the current value of DIIMMBUF into outbuf, which must be at least~~ 4 ~~bytes in size~~ (~~or else 0x20 is returned~~).

−

~~{| class="wikitable"~~

−

~~|+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| 3

−

| u8

+

| [[Ticket]]

−

| ~~Command (0x83)~~

+

| Out

−

|}

+

| 0x2A4

−

+

| 32

−

~~=== 0x85 DVDLowUnmaskCoverInterrupt ===~~

+

|-

−

+

| 4

−

~~Disables the cover interrupt by clearing bit 1 of DICVR (leaving bit zero unchanged).~~ ~~Does not clear the cover interrupt if it is currently asserted~~ (~~does not write bit 2~~).

+

| TMD size pointer (again; aliases with previous pointer)

−

+

| Out

−

~~The output buffer is not used, and it may be null.~~ ~~Its size is not checked.~~

+

| 4

−

+

| 4 (32 on PPC side)

−

{| ~~class="wikitable"~~

−

|~~+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| 5

−

| u8

+

| [[TMD]]

−

| ~~Command~~ (~~0x85~~)

+

| Out

−

|}

+

| TMD size, from before (i.e. *vector[4].data)

−

+

| 32

−

~~=== 0x86 DVDLowClearCoverInterrupt ===~~

+

|-

−

+

| 6

−

~~Clears the cover interrupt by writing bit 2 of DICVR~~ (~~leaving~~ the ~~other bits unchanged~~).

+

| Shared certs size pointer (again; aliases with the previous pointer)

−

+

| Out

−

~~The output buffer is not used, and it may be null.~~ ~~Its size is not checked.~~

+

| 4

−

+

| 4 (32 on PPC side)

−

{| ~~class="wikitable"~~

−

|~~+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| 7

−

| u8

+

| Shared certs

−

| ~~Command~~ (~~0x86~~)

+

| Out

−

|}

+

| Shared certs size, from before (i.e. *vector[6].data)

−

+

| 32

−

~~=== <s>0x87</s> ===~~

+

|-

−

+

| 8

−

~~Dummied out; does nothing (and always returns 1).~~ ~~Possibly an ID reserved for a PPC~~-~~only command (DVDLowBreak?), as is also done with DVDLowSetSpinupFlag?~~

+

| Partition data offset pointer

−

+

| Out

−

~~The output buffer is not used, and it may be null.~~ ~~Its size is not checked.~~

+

| 4

−

+

| 4 (32 on PPC side)

−

{| ~~class="wikitable"~~

−

|~~+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| 9

−

| u8

+

| H3 hashes

−

| ~~Command (0x87)~~

+

| Out

+

| 0x18000

+

| 32

|}

−

~~=== 0x88 DVDLowGetCoverStatus ===~~

+

After validating sizes and alignments, the params field of the command is set to a stack-allocated structure:

−

~~Checks the current cover status and stores the result into outbuf, which must be at least~~ 4 ~~bytes in size (or else 0x20 is returned)~~.

+

struct nodiscopenparams {

−

+

undefined4 unused1;

−

~~The result is 0 right~~ after ~~a reset{{check~~}~~}, 1 if~~ a ~~disc is not inserted~~ (~~bit 1 of DICVR set~~), and ~~2 if a disc is inserted~~ (~~bit 1 of DICVR not~~ set).

+

ticket * ticket; // Set to vector[3].data

+

undefined4 unused2;

+

size_t tmdSize; // Set to *vector[4].data

+

tmd * tmd; // Set to vector[5].data

+

size_t sharedCertsSize; // Set to *vector[6].data

+

byte * sharedCerts; // Set to vector[7].data

+

off_t partitionDataOffset; // Set to partitionOffset + partition->dataOffset after working

+

h3buffer * h3Hashes; // set to vector[9].data

+

}

+

After executing at a lower level (see [[#0x90 DVDLowGetNoDiscOpenPartitionParams ioctl|§0x90 DVDLowGetNoDiscOpenPartitionParams ioctl]]), tmdSize, sharedCertsSize, and partitionDataOffset are written back to vectors 4, 6, and 8 respectively. (If an error occurs, all three are instead set to 0.)

{| class="wikitable"

Line 1,602: Line 1,645:

| 0

| u8

−

| Command (~~0x88~~)

+

| Command (0x90)

+

|-

+

| 4

+

| off_t

+

| Partition position (>> 2)

+

|- {{partial2}}

+

| 8

+

| nodiscopenparams*

+

| params

|}

−

=== ~~0x89 Enable Cover Interrupt~~ ===

+

=== <s>0x91 DVDLowNoDiscOpenPartition</s> ===

−

~~Enables the cover interrupt by setting bit 1 of DICVR~~ (~~leaving bit zero unchanged~~). ~~Does not clear~~ the ~~cover interrupt if it is currently asserted (does not write bit 2~~).

+

Dummied out on all current IOS versions; always returns 0x80. However, still usable as an Ioctl (which is probably unintended). No PPC-side code exists for this command in any known title (it was never called, even in an unreachable in practice way, so the function was optimized out). The only version that has an implementation of it is [[#Jun 8 2007 18:17:09|Jun 8 2007 18:17:09]], which is no longer used by any IOS version.

−

The ~~output buffer~~ is ~~not used~~, ~~and it may be null. Its size~~ is ~~not checked~~.

{| class="wikitable"

−

|+ ~~Command~~

+

|+ Vector

−

! ~~Offset~~

+

! Index

−

~~! Type~~

! Name

+

! Direction

+

! Size

+

! Alignment

|-

| 0

−

~~| u8~~

+

| Command

−

| Command ~~(0x89)~~

+

| In

−

|}

+

| 0x20

−

+

| 4

−

~~=== 0x8A DVDLowReset ===~~

−

Resets the drive, using [[IOS/Syscalls|syscalls]] 0x44, 0x45, and 0x46. If a reset is already in progress (syscall_check_di_reset returns true), then it immediately calls syscall_deassert_di_reset; otherwise, it calls syscall_assert_di_reset, waits 12µs, and then calls syscall_deassert_di_reset. Afterwards, registers are reset in the same way as DVDLowNotifyReset other than the cover interrupt. ~~The cover interrupt is temporarilly disabled during this process, but is reenabled afterwards if it was enabled before.~~

−

~~Enable spinup is passed to syscall 0x4e, which activates the DI_SPIN [[Hardware/Hollywood_GPIOs~~|~~GPIO]] if it is 0 and disables it otherwise.~~

−

~~The output buffer is not used, and it may be null. Its size is not checked.~~

−

~~{| class="wikitable"~~

−

|~~+ Command~~

−

~~! Offset~~

−

~~! Type~~

−

~~! Name~~

|-

−

| 0

+

| 1

−

| u8

+

| [[Ticket]]

−

| ~~Command (0x8A)~~

+

| In

+

| 0x2a4

+

| 32

|-

+

| 2

+

| [[TMD]]

+

| In

+

| Not checked

+

| 32

+

|-

+

| 3

+

| [[Certificate chain|Shared certs]]

+

| In

+

| Not checked

+

| 32

+

|-

+

| 4

+

| H3 hashes

+

| In

+

| 0x18000

+

| 32

+

|-

+

| 5

+

| ES Error

+

| Out

+

| 4 (properly sized, unlike with regular open partition)

| 4

−

~~| u32~~

−

~~| Enable spinup~~

|}

−

~~=== <s>0x8B DVDLowOpenPartition ioctl<~~/~~s> ===~~

+

After validating sizes and alignments, the params field of the command is set to a stack-allocated structure:

+

struct nodiscopenparams {

+

undefined4 unused1;

+

ticket * ticket; // Set to vector[1].data

+

undefined4 unused2;

+

size_t tmdSize; // Set to vector[2].size

+

tmd * tmd; // Set to vector[2].data

+

size_t sharedCertsSize; // Set to vector[3].size

+

byte * sharedCerts; // Set to vector[3].data

+

off_t partitionDataOffset; // Set by command

+

h3buffer * h3Hashes; // set to vector[4].data

+

}

−

~~Returns 0x20 and prints a warning that "OPEN_PARTITION done through Ioctlv, not Ioctl".~~

−

~~The output buffer is not used, and it may be null. Its size is not checked.~~

{| class="wikitable"

Line 1,659: Line 1,728:

| 0

| u8

−

| Command (~~0x8B~~)

+

| Command (0x91)

+

|-

+

| 4

+

| off_t

+

| Partition data offset

+

|- {{partial2}}

+

| 4

+

| nodiscopenparams*

+

| params

+

|- {{partial2}}

+

| 8

+

| u32 *

+

| ES error output (vector[5].data)

|}

−

=== ~~0x8C DVDLowClosePartition~~ ===

+

=== <s>0x92 DVDLowGetNoDiscBufferSizes</s> ===

−

~~~~

−

~~Closes the currently-open partition, removing information about its keys and such.~~

−

~~The output buffer~~ is not used, ~~and it may~~ be ~~null~~. ~~Its size is not checked~~.

+

Dummied out on all current IOS versions; always returns 0x80. However, still usable as an Ioctl (which is probably unintended). System menu 4.3U (among other titles) still has a PPC-side implementation (815502b8) but this is not used (the higher-level function that calls it is gone due to not being referenced). The only version that has an implementation of it is [[#Jun 8 2007 18:17:09|Jun 8 2007 18:17:09]], which is no longer used by any IOS version.

+

{| class="wikitable"

+

|+ Vector

+

! Index

+

! Name

+

! Direction

+

! Size

+

! Alignment

+

|-

+

| 0

+

| Command

+

| In

+

| 0x20

+

| 4

+

|-

+

| 1

+

| [[TMD]] size pointer

+

| Out

+

| 4

+

| 4 (32 on ppc side)

+

|-

+

| 2

+

| [[Certificate chain|Shared certs]] size pointer

+

| Out

+

| 4

+

| 4 (32 on ppc side)

+

|}

+

Both pointers must be non-zero. The ioctlv fills in additional parameters on the command.

{| class="wikitable"

Line 1,676: Line 1,784:

| 0

| u8

−

| Command (~~0x8C~~)

+

| Command (0x92)

+

|-

+

| 4

+

| off_t

+

| Partition position (>> 2)

+

|- {{partial2}}

+

| 8

+

| u32 *

+

| TMD Size out

+

|- {{partial2}}

+

| 12

+

| u32 *

+

| Cert Chain Size Out

|}

−

=== ~~0x8D DVDLowUnencryptedRead~~ ===

+

=== 0x93 DVDLowOpenPartitionWithTmdAndTicket ===

+

Opens a partition, including verifying it through [[:/dev/es]] (the resulting [[:/dev/es#Error_codes|error code]] will be written to the specified location, even if it is 0). DVDLowReadDiskID needs to have been called beforehand. This function takes an already-read TMD and can take an already-read ticket, which means it can be faster since the ticket does not need to be read from the disc.

+

Returns 0x80 if DVDLowReadDiskID has not been called, or a partition is already open, 0x20 if allocations fail or the partition does not pass some DI security checks (valid cert offset, valid tmd offset, presence of hashes), and 0x40 for an ES error.

−

~~Reads raw data from~~ the ~~disc. Only usable in the [[Wii_Disc#.22System_Area.22|"System Area"]] of the disc~~. ~~The start and end must lie within a single one of the following ranges or else 0x20 is returned:~~

+

This command will clear the error interrupt if it is set.

{| class="wikitable"

−

|+ ~~Ranges~~

+

|+ Vector

−

! ~~Start (offset)~~

+

! Index

−

! ~~Start (bytes)~~

+

! Name

−

! ~~Length (offset)~~

+

! Direction

−

! ~~Length (bytes)~~

+

! Size

−

! ~~End (offset)~~

+

! Alignment

−

~~! End (bytes)~~

|-

| 0

−

| 0

+

| Command

−

| 0x14000

+

| In

−

| 0x50000

+

| 0x20

−

| 0x14000

+

| 4

−

| 0x50000

+

|-

−

|-

+

| 1

−

| 0x460A0000

+

| [[Ticket]] (optional)

−

| 0x118280000

+

| In

−

| 8

+

| 0x2a4 if present, not checked if absent (should be 0)

−

| 0x20

+

| 32

−

| 0x460A0008

+

|-

−

| 0x118280020

+

| 2

−

|-

+

| [[TMD]] (required)

−

| 0x7ED40000

+

| In

−

| 0x1FB500000

+

| Arbitrary

−

| 8

+

| 32

−

| 0x20

+

|-

−

| 0x7ED40008

+

| 3

−

| 0x1FB500020

+

| [[Certificate chain|Shared certs]] (optional)

−

|}

+

| In

−

+

| Arbitrary

−

The output buffer must be 32-byte aligned and the length must also be a multiple of 32; otherwise, 0x80 is returned.

+

| 32

+

|-

+

| 4

+

| ES Error

+

| Out

+

| 0x20 (of which only the first 4 bytes are used)

+

| 4

+

|}

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x93)

+

|-

+

| 4

+

| off_t

+

| Partition offset

+

|- {{partial2}}

+

| 4

+

| runopenpartparam*

+

| params

+

|- {{partial2}}

+

| 8

+

| u32 *

+

| ES error output

+

|}

+

After running, the first argument is a pointer to a (stack-allocated) structure used by this and 0x94:

+

struct runopenpartparam {

+

off_t position;

+

ticket * ticket; // Only used by 0x93

+

ticketview * ticketview; // Only used by 0x94

+

size_t tmdSize;

+

tmd * tmd;

+

size_t sharedCertsSize;

+

u8 * sharedCerts;

+

}

+

=== 0x94 DVDLowOpenPartitionWithTmdAndTicketView ===

+

Opens a partition, including verifying it through [[:/dev/es]] (the resulting [[:/dev/es#Error_codes|error code]] will be written to the specified location, even if it is 0). DVDLowReadDiskID needs to have been called beforehand. This function takes an already-read TMD and can take an already-read ticket ticket view, which means it can be faster since the ticket does not need to be read from the disc.

+

Returns 0x80 if DVDLowReadDiskID has not been called, or a partition is already open, 0x20 if allocations fail or the partition does not pass some DI security checks (valid cert offset, valid tmd offset, presence of hashes), and 0x40 for an ES error.

+

This command will clear the error interrupt if it is set.

+

{| class="wikitable"

+

|+ Vector

+

! Index

+

! Name

+

! Direction

+

! Size

+

! Alignment

+

|-

+

| 0

+

| Command

+

| In

+

| 0x20

+

| 4

+

|-

+

| 1

+

| Ticket View (optional)

+

| In

+

| 0x98 if present, not checked if absent (should be 0)

+

| 32

+

|-

+

| 2

+

| [[TMD]] (required)

+

| In

+

| Arbitrary

+

| 32

+

|-

+

| 3

+

| [[Certificate chain|Shared certs]] (optional)

+

| In

+

| Arbitrary

+

| 32

+

|-

+

| 4

+

| ES Error

+

| Out

+

| 0x20 (of which only the first 4 bytes are used)

+

| 4

+

|}

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x94)

+

|-

+

| 4

+

| off_t

+

| Partition offset

+

|- {{partial2}}

+

| 4

+

| runopenpartparam*

+

| params (see above)

+

|- {{partial2}}

+

| 8

+

| u32 *

+

| ES error output

+

|}

+

== Ioctls ==

+

Using a number not listed here results in a return value of 0x80. The input buffer must be sized 0x20 (except for command 0x8E). Unless otherwise noted, commands return 1 on success.

+

Ioctls are implemented in two functions: DiIoctl and handleDiCommand. handleDiCommand is actually also used by IoctlV as well, and other than for DVDLowOpenPartition, IoctlV commands are accidentally exposed as Ioctls as well. The following commands are implemented in DiIoctl:

+

{{collapse|title=Commands implemented in DiIoctl|text=

+

<ul>

+

<li>0x79 DVDLowWaitForCoverClose</li>

+

<li>0x7A DVDLowGetCoverRegister</li>

+

<li>0x83 DVDLowGetLength</li>

+

<li>0x84 Get DIIMMBUF</li>

+

<li>0x85 DVDLowMaskCoverInterrupt</li>

+

<li>0x86 DVDLowClearCoverInterrupt</li>

+

<li>0x87 DVDLowUnmaskStatusInterrupts</li>

+

<li>0x88 DVDLowGetCoverStatus</li>

+

<li>0x89 DVDLowUnmaskCoverInterrupt</li>

+

<li>0x8B DVDLowOpenPartition ioctl</li>

+

<li>0x8E DVDLowEnableDvdVideo</li>

+

<li>0x95 DVDLowGetStatusRegister</li>

+

<li>0x96 DVDLowGetControlRegister</li>

+

</ul>

+

}}

+

Commands will clear the error interrupt by writing bit 2 of DISR if it is set after execution. Furthermore, the same check happens before execution, but this should generally not happen barring other code directly writing to the DI registers (a warning is logged in this case). These checks happen in handleDiCommand, so commands implemented in DiIoctl are not affected; additionally the second check is skipped for 0x8A DVDLowReset and 0xE0 DVDLowRequestError. In some versions, the second check will also issue a request error command to the drive (which, as a side effect, clears the error in the drive itself, which would break a second DVDLowRequestError — that explains why it is skipped).

+

If an output buffer size check fails, DIMAR and DILENGTH will not be written, and there is code that sets the return value to 0x20. However, the driver still attempts to start the transfer, which will fail due to not writing DILENGTH (which should have counted back down 0 after any previous successful transfer{{check}}); this will result in an eventual timeout and returning of 0x10{{check}}.

+

=== 0x12 DVDLowInquiry ===

+

Retrieves information about the drive verison; see [http://hitmen.c02.at/files/yagcd/yagcd/chap5.html#sec5.7.3.1 yagcd §5.7.3.1] for more info.

+

The output buffer size must be ≥ 0x20, or DIMAR and DILENGTH will not be written. It must also be 32-bit aligned, or else the driver will hang.

+

Note that YAGCD is incorrect and there is actually one additional byte after the drive date, [https://web.archive.org/web/20070602090342/http://www.crazynation.org/GC/GC_DD_TECH/GCTech.htm apparently] indicating the version. This is not new to the Wii.

+

DICMDBUF0 = 0x12000000

+

DILENGTH = 0x20

+

DIMAR = outbuf

+

DICMDBUF1 = 0

+

DICR = TSTART | DMA

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x12)

+

|}

+

=== 0x70 DVDLowReadDiskID ===

+

Reads the current disc ID and initializes the drive. Many other commands will not work before this (either by explicitly checking, or due to the drive returning error 0x05xxxxxx).

+

This command cannot be used while the drive interface is resetting (if [[IOS/Syscalls|syscall]] 0x46 syscall_check_di_reset returns true); in which case it will return 0x80. 0x80 will also be returned if the output buffer is not 32-byte aligned.

+

The output buffer size must be ≥ 0x20, or DIMAR and DILENGTH will not be written.

+

DICMDBUF0 = 0xA8000040

+

DICMDBUF1 = 0

+

DICMDBUF2 = 0x20

+

DILENGTH = 0x20

+

DIMAR = dest

+

DICR = TSTART | DMA

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x70)

+

|}

+

After this command has finished reading, the driver will also look at the 4 bytes at offset 0x18 in the output (i.e. outbuf[6] if outbuf is a u32 array) for the Wii magicword 0x5D1C9EA3 to determine if it is a [[Wii Disc|Wii disc]]. If it is a Wii disc, and it has not already read it, it will read 0x44 (padded to 0x60) bytes starting at byte 0x20 (i.e. the game title, and the disable hashing and disable encryption flags). Thus, after the first call, DVDLowGetLength will return 0x60, and on later calls it will return 0x20.

+

=== 0x71 DVDLowRead ===

+

Reads and decrypts disc data. This command can only be used if hashing and encryption are enabled for the disc. DVDLowOpenPartition needs to have been called before for the keys to be read.

+

The output buffer has no requirements on alignment, but will perform better if 32-byte aligned since it can avoid a copy from a buffer within the driver. Similarly, the offset and size can be any value, but ones that are sector-aligned (sizes that are multiples of 0x7C00 and offsets that are multiples of 0x1F00) avoid copies for the first and/or last sector that needs to be read and decrypted. Each individual sector is read using command 0xA8.

+

This command immediately returns 0x20 if the buffer is too small, and also returns 0x20 if something went wrong with decryption or hashing and 2 for a drive error.

+

If everything completed successfully, the last length value used by DVDLowGetLength is set to offset (almost certainly a mistake on Nintendo's end). Otherwise, it is set to 0.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x71)

+

|-

+

| 4

+

| size_t

+

| Size (bytes)

+

|-

+

| 8

+

| off_t

+

| Offset (bytes >> 2)

+

|}

+

=== 0x79 DVDLowWaitForCoverClose ===

+

Waits for a disc to be inserted; if there is already a disc inserted, it must be removed first. This command does not time out; if no disc is inserted, it will wait forever. (As such, I'm not entirely sure how it can be cancelled; I assume but have not checked that the Wii Fit Channel uses this when waiting for the Wii Fit disc to be inserted, but that can be canceled...)

+

Continuously waits for a DI interrupt, and when it receives one it checks for the cover interrupt (bit 2 of DICVR); if it is set it then checks if the cover is closed (bit 0 of DICVR) and if sufficient time has ellapsed. It also clears the TC and error interrupts should they occur.

+

The output buffer is not used, and it may be null. Its size is not checked.

+

On completion, returns 0x4.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x79)

+

|}

+

=== 0x7A DVDLowGetCoverRegister ===

+

Stores the current value of DICVR into outbuf, which must be at least 4 bytes in size (or else 0x20 is returned). Note that Nintendo titles also refer to this as DVDLowPrepareCoverRegister, but that function simply asynchronously reads it into game memory so that it can be accessed by a separate function later. (A similar name pattern is found for the other get-reg commands.)

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x7A)

+

|}

+

=== 0x7E DVDLowNotifyReset ===

+

Resets internal flags, closes the open partition (if there is one), clears the transfer complete interrupt and drive error interrupt, enables the transfer complete interrupt and error interrupt, and disables the cover interrupt.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x7E)

+

|}

+

=== <s>0x7F DVDLowSetSpinupFlag</s> ===

+

Prints the message "(handleDiCommand) DI_SET_SPINUP_FLAG_CMD should have been executed in the PPC shim layer only" and returns 0x80.

+

The PPC-side simply stores a boolean which is later used as the parameter to DVDLowReset. For some reason, Nintendo decided to give it an ioctl number as well, even though it didn't need one.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x7F)

+

|}

+

=== 0x80 DVDLowReadDvdPhysical ===

+

Probably related to DVD-Video{{check}}.

+

The output buffer size must be ≥ 0x800, or DIMAR and DILENGTH will not be written. The output buffer also needs to be 32-byte aligned, or else the driver will hang.

+

DICMDBUF0 = 0xAD000000 | (position << 8) // AD00XX00

+

DICMDBUF1 = 0

+

DICMDBUF2 = 0

+

DILENGTH = 0x800

+

DIMAR = dest

+

DICR = TSTART | DMA

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x80)

+

|-

+

| 7

+

| u8

+

| Position(?)

+

|}

+

=== 0x81 DVDLowReadDvdCopyright ===

+

Probably related to DVD-Video{{check}}.

+

DICMDBUF0 = 0xAD010000 | (position << 8) // AD01XX00

+

DICMDBUF1 = 0

+

DICMDBUF2 = 0

+

DICR = TSTART

+

The contents of DIIMMBUF (u32) are written to the output buffer. The output buffer size is not checked, but 4 would be a sane value.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x81)

+

|-

+

| 7

+

| u8

+

| Position(?)

+

|}

+

=== 0x82 DVDLowReadDvdDiscKey ===

+

Probably related to DVD-Video{{check}}.

+

The output buffer size must be ≥ 0x800, or DIMAR and DILENGTH will not be written. The output buffer also needs to be 32-byte aligned, or else the driver will hang.

+

DICMDBUF0 = 0xAD020000 | (position << 8) // AD02XX00

+

DICMDBUF1 = 0

+

DICMDBUF2 = 0

+

DILENGTH = 0x800

+

DIMAR = dest

+

DICR = TSTART | DMA

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x82)

+

|-

+

| 7

+

| u8

+

| Position(?)

+

|}

+

=== 0x83 DVDLowGetLength ===

+

Stores the last DILENGTH value into outbuf, which must be at least 4 bytes in size (or else 0x20 is returned). Note that this doesn't directly read DILENGTH, but rather a separate value that is set when DILENGTH is set (and zero'd if a read error occurs on a command that uses DILENGTH; this means that this command cannot be used to get the amount of data still left to be transfered when the error happened).

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x83)

+

|}

+

=== 0x84 Get DIIMMBUF ===

+

Stores the current value of DIIMMBUF into outbuf, which must be at least 4 bytes in size (or else 0x20 is returned).

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x83)

+

|}

+

=== 0x85 DVDLowMaskCoverInterrupt ===

+

Disables the cover interrupt by clearing bit 1 of DICVR (leaving bit zero unchanged). Does not clear the cover interrupt if it is currently asserted (does not write bit 2). Actual code is <code>DICVR = (DICVR & ~4 & ~2)</code>.

+

Titles have a DVDLowMaskCoverInterrupt function that is dummied out to always return 1; this function is used by DVDInit in the exact same place that gamecube titles write <code>DICVR = 0</code> (which should be equivalent, as writes to bit 0 which indicates the cover status presumably do nothing{{check}}). However, since it is stubbed out, there is no way of being sure that 0x85 was actually used by that function.

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x85)

+

|}

+

=== 0x86 DVDLowClearCoverInterrupt ===

+

Clears the cover interrupt by writing bit 2 of DICVR (leaving the other bits unchanged).

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x86)

+

|}

+

=== <s>0x87 DVDLowUnmaskStatusInterrupts</s> ===

+

Dummied out; does nothing (and always returns 1).

+

Titles have a DVDLowUnmaskStatusInterrupts function that is dummied out to always return 1; this function is used by DVDInit in the exact same place that gamecube titles write <code>DISR = 0x2a</code> (which enables DEINTMASK, TCINTMASK, and BRKINTMASK, and does not clear any asserted interrupts). However, since it is stubbed out, there is no way of being sure that 0x87 was actually used by that function.

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x87)

+

|}

+

=== 0x88 DVDLowGetCoverStatus ===

+

Checks the current cover status and stores the result into outbuf, which must be at least 4 bytes in size (or else 0x20 is returned).

+

The result is 0 right after a reset{{check}}, 1 if a disc is not inserted (bit 1 of DICVR set), and 2 if a disc is inserted (bit 1 of DICVR not set).

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x88)

+

|}

+

=== 0x89 DVDLowUnmaskCoverInterrupt ===

+

Enables the cover interrupt by setting bit 1 of DICVR (leaving bit zero unchanged). Does not clear the cover interrupt if it is currently asserted (does not write bit 2). Actual code is <code>DICVR = ((DICVR & ~4) | 2)</code>.

+

Debug symbols list a function called DVDLowUnmaskCoverInterrupt, but no actual function remains as it was removed as unused (and even if it did still exist, it presumably would be dummied out to just return 1 as it is only 8 bytes). Therefore, there is no way to be certain that 0x89 actually was called DVDLowUnmaskCoverInterrupt, but it seems very likely based on DVDLowMaskCoverInterrupt.

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x89)

+

|}

+

=== 0x8A DVDLowReset ===

+

Resets the drive, using [[IOS/Syscalls|syscalls]] 0x44, 0x45, and 0x46. If a reset is already in progress (check_di_reset returns true), then it immediately calls deassert_di_reset; otherwise, it calls assert_di_reset, waits 12µs, and then calls deassert_di_reset. Afterwards, registers are reset in the same way as DVDLowNotifyReset other than the cover interrupt. The cover interrupt is temporarilly disabled during this process, but is reenabled afterwards if it was enabled before.

+

Enable spinup is passed to syscall 0x4e, which activates the DI_SPIN [[Hardware/Hollywood_GPIOs|GPIO]] if it is 0 and disables it otherwise.

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x8A)

+

|-

+

| 4

+

| u32

+

| Enable spinup

+

|}

+

=== <s>0x8B DVDLowOpenPartition ioctl</s> ===

+

Returns 0x20 and prints a warning that "OPEN_PARTITION done through Ioctlv, not Ioctl".

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x8B)

+

|}

+

=== 0x8C DVDLowClosePartition ===

+

+

Closes the currently-open partition, removing information about its keys and such.

+

The output buffer is not used, and it may be null. Its size is not checked.

+

{| class="wikitable"

+

|+ Command

+

! Offset

+

! Type

+

! Name

+

|-

+

| 0

+

| u8

+

| Command (0x8C)

+

|}

+

=== 0x8D DVDLowUnencryptedRead ===

+

Reads raw data from the disc. Only usable in the [[Wii_Disc#.22System_Area.22|"System Area"]] of the disc. The start and end must lie within a single one of the following ranges or else 0x20 is returned:

+

{| class="wikitable"

+

|+ Ranges

+

! Start (offset)

+

! Start (bytes)

+

! Length (offset)

+

! Length (bytes)

+

! End (offset)

+

! End (bytes)

+

|-

+

| 0

+

| 0

+

| 0x14000

+

| 0x50000

+

| 0x14000

+

| 0x50000

+

|-

+

| 0x460A0000

+

| 0x118280000

+

| 8

+

| 0x20

+

| 0x460A0008

+

| 0x118280020

+

|-

+

| 0x7ED40000

+

| 0x1FB500000

+

| 8

+

| 0x20

+

| 0x7ED40008

+

| 0x1FB500020

+

|}

+

The output buffer must be 32-byte aligned and the length must also be a multiple of 32; otherwise, 0x80 is returned.

+

The output buffer size must be ≥ length, or DIMAR and DILENGTH will not be written.

+

DICMDBUF0 = 0xA8000000

+

DICMDBUF1 = position

+

DICMDBUF2 = length

+

DILENGTH = length

+

DIMAR = dest

+

DICR = TSTART|DMA

−

The ~~output buffer size must be~~ ≥ length, ~~or DIMAR~~ and ~~DILENGTH will~~ not be ~~written~~.

+

Versions of IOS prior to [[IOS28]] only permitted reads in the first range. The [[#Aug 10 2006 11:24:50|prelaunch august 10 build]] further restricts it to only allow reads starting at offset 0x10000 (byte 0x40000), along with a 1-higher upper bound (likely due to use of ≤ instead of just less than) which does not matter in practice due the length alignment requirement. This means that the PPC would only have access to the [[Wii Disc]]'s partitions information and such, and not header bytes beyond 0x20 (the first 0x20 bytes are accessible through [[#0x70 DVDLowReadDiskID|0x70 DVDLowReadDiskID]]), i.e. the game title and encryption information cannot be accessed.

−

~~DICMDBUF0 = 0xA8000000~~

−

~~DICMDBUF1 = position~~

−

~~DICMDBUF2 = length~~

−

~~DILENGTH = length~~

−

~~DIMAR = dest~~

−

~~DICR = TSTART|DMA~~

−

~~Versions of IOS prior to IOS30 only permitted reads in the first range{{check}}.~~ Nintendo titles check on startup if they are running an IOS ≥ 30 (and ≤ 253) and if so, perform some DI checks; specifically, they attempt to read 0x20 bytes from 0x460a0000 (or from 0x7ed40000 if the byte at 0x8000319c is 0x81 — possibly related to dual-layer discs?). If this read attempt returns anything other than 2, the game will refuse to start with the message "An error has occurred. Press the Eject Button, remove the Game Disc, and turn off the power to the console. Please read the Wii Operations Manual for further instructions." If the drive error is anything other than 0x0052100 (OK/Logical block address out of range), the game will refuse to start with the message "Error #001, unauthorized device has been detected."

+

Nintendo titles check on startup if they are running an IOS ≥ 30 (and ≤ 253) and if so, perform some DI checks; specifically, they attempt to read 0x20 bytes from 0x460a0000 (or from 0x7ed40000 if the byte at 0x8000319c is 0x81 — possibly related to dual-layer discs?). If this read attempt returns anything other than 2, the game will refuse to start with the message "An error has occurred. Press the Eject Button, remove the Game Disc, and turn off the power to the console. Please read the Wii Operations Manual for further instructions." If the drive error is anything other than 0x0052100 (OK/Logical block address out of range), the game will refuse to start with the message "Error #001, unauthorized device has been detected."

{| class="wikitable"

Hallowizer

5,579

edits

Changes

/dev/di (view source)

Revision as of 05:48, 22 February 2022