Changes

Datel FreeLoader (view source)

Revision as of 23:25, 13 March 2008

938 bytes added , 23:25, 13 March 2008

Quick explanation of how it works

Line 1: Line 1: −

~~Today~~ the ~~first footage from running~~ the ~~Datel FreeLoader-Disc got released~~. ~~As it seems~~ it ~~uses~~ a ~~new security hole~~ to patch the ~~whole system even without starting the disc itself~~.

+

It's using the 'R' as WiiDisc_ID (like any ordinary WiiDisc), I'm not sure if it's using the Trucha signature yet. Anyway it's using a custom apploader to apply the patch to the memory. I'm gonna disassemble it later.

−

~~It seems to~~ use a ~~hole in the [[Opening~~.~~bnr]] or some other~~ file ~~which gets loaded from dvd even without entering the disc channel~~.

+

The main.dol doesn't contain anything at all, because it will never get loaded.

+

We might use a similar exploit later to allow homebrew to run later, but first we have to figure out exactly how it works. :)

+

Partition (RFLPWK):

+

offset: 0x50000

+

type: 0

+

TMD size: 520

+

TMD offset: 0x2c0

+

CERTS size: 2560

+

CERTS offset: 0x4e0

+

H3 offset: 0x8000

+

DATA size: 8388608

+

DATA offset: 0x20000

+

ticket.bin:

+

issuer: Root-CA00000001-XS00000003

+

titlekey (E): e086833865486bf75dd0dbbe7e3e0502

+

title ID (IV): 00010000524d4745

+

tmd.bin:

+

issuer: Root-CA00000001-CP00000004

+

version: 0

+

ca ver: 0

+

sign ver: 0

+

system version: 0000000100000021

+

title id: 00010000524d4745

+

title type: 1

+

group id: 3031

+

access: 00000000

+

title version: 0000

+

files count: 1

+

boot index: 00000000

+

file id: 0

+

index: 0

+

type: 3

+

size: 4286316544

+

hash: 46d287895176d40e69c8dee0ca162f41e2bde79d

+

No files are in root.

Video:

http://www.youtube.com/watch?v=z4iWEtsZMvE

Dasda

59

edits