Sunday, November 22, 2009

A thorough explanation of IOS and cIOS for everyone

We all remember when we first hacked our Wii. It was a fairly straightforward process. Crash your Wii, run some magic code (called a boot.elf) and install a magic channel that will let you run any and as much code as you want (homebrew applications or apps).

Eventually, we began reading more and more about the cool Wii homebrew applications and we began to read about these things they used called IOSs and cIOSs. Often we would see, "You must have a cIOS 249 installed to use this app" or "You must have an IOS that accepts fakesigning", and most common recently, "No vulnerable IOS found. For security reasons, we will not use an IOS that accepts fakesigning."

This post is intended to be a thorough explanation of what IOSs are, how they work, and what a cIOS is. Anyone, at any experience level (except for the hackmii l33t) should learn something here.

I feel the best way to start explaining IOSs is to take a trip through Wii homebrew history. Back when Hackmii developed the twilight hack, coders and users alike suddenly had the ability to create and run unsigned (or unofficial, ie: "homebrew") code on their Nintendo Wiis. However, it was undoubtedly very inconvenient to have to run The Legend of Zelda: Twlight Princess and crash it every single time you wanted to run one piece of code on your Wii. So Hackmii went to work creating a channel that you could access right from your Wii and run homebrew code with. In fact, this channel would even be able to run multiple pieces of code in a single use.

To install a channel, Hackmii went to work figuring out channels were installed naturally by the Wii. It was discovered that the Wii relies on an underlying system called IOS to do just that and more. The Wii contains multiple IOSs inside of it which are used for different purposes, but contain the same basic functions. In fact there is room in the Wii for 255 different IOSs. There is one IOS for the system menu, another IOS for games to use, and yet even another IOS for some channels to use. However, no more than IOS is ever running at once.

It was determined shortly afteraward that each IOS is made up of a set of low level functions, or code routines. Wii programs (games, channels, the system menu, etc.) called on the functions inside IOS to do things. If this reminds of you Linux kernels, you're thinking along the right path. IOSs basically are here to perform the same role for Wii that kernels perform for Linux.

One of the functions of IOSs is the ability to install content. This installable content, of course, included channels. In order to install a channel you needed two security keys.
The first key, the common key, was hidden inside each Wii on a ROM next to the starlet coprocessor. The common key is the same in each Nintendo Wii. In order to obtain it, Hackmii used a pair of tweezers in a tweezer attack (this is where the name team twiizers comes from) to complete a circuit, creating a serial line of communication to sniff (view the contents of) the RAM where the common key is stored while it is being used. And so, the firs tof two keys, the common key, was discovered: EBE42A225E8593E448D9C5457381AAF7 (base 16)

The second key, the private key, is stored only on Nintendo's servers. There is literally no way to obtain it from our client end except to attempt to bruteforce it (guess it again and again until we guess right). However, after staring at disassembles of IOSs for countless hours, hackmii realized that each IOS had a bug in their security. To check for the presence of the private key, the IOSs used strncmp(). strncmp() is a C function which checks to see if two strings are the same. If a null byte is detected, it is assumed that the strings are the same. So, in order to install a piece of content, we pass the common key and a null byte into IOSs content installation function. The method of installing content using a null byte instead of the private key is called fakesigning. The bug found in IOS (the usage of strncmp() as opposed to, say, memcmp() ) is called the trucha bug.

To summarize so far: In order to install content onto the Wii, the IOS you have running in the background must contain the trucha bug.

Later down the line, Nintendo would begin updating IOSs by fixing the trucha bug. Most likely, they did so by replacing the strncmp() check with a check like memcmp() which wouldn't terminate after the discovery of a null byte. Hackmii came up with a piece of code called patchmii to download the new IOSs and install the trucha bug into them. IOSs that have had the trucha bug patched into them are called cIOSs.

tona was the first programmer to release an application which downloaded an IOS (IOS 36 actually), patched it (making it a cIOS), and installed it as a different IOS (IOS 249 actually). Thus, cIOS 249 was created.

Other programmers have since replicated the feat. Waninkoko in conjunction with WiiGator have a cIOS installer which applies the trucha bug and other patches to an IOS (IOS 36 I believe) and install it as IOS 249. The patches in the cIOS beyond the inclusion of the trucha bug are patches to allow pirated games to be played. This has made cIOS 249 the "warez IOS" and is Nintendo's primary concern. I could give a you spiel about how this IOS appears to be inflated with inefficient code and how a lot of what's in it doesn't actually work like it claims to, but that's for another post.

So now I've walked you through what IOSs and cIOSs are by showing you the history of them. Hopefully, you should fully understand their purpose and be able to better understand what homebrew is talking about when it references them.

If you have any questions regarding the content of this post, feel free to leave a comment, join me in #arikadosblog on EFNET, post in our forums, tweet to me, or send me an e-mail at castlevania7689@yahoo.com

14 comments:

  1. Very helpful, thanks!

    ReplyDelete
  2. Brilliant, keep up the wonderful blog. It is incredibly informative. Having such a great window into homebrew for relative new comers eager to aid the scene is motivating.

    ReplyDelete
  3. Awesome, your explanation was very informative. Thanks and keep up your work ;)

    ReplyDelete
  4. This is the best IOS information I've found on the internet - thanks!

    ReplyDelete
  5. Thank you for your clarification... I've spent many countless hours searching for information regarding Wii homebrew specifics that usually ended with irrelevant links, information on other topics, or nothing at all... This is not the case with your blog. Even though, (don't shoot me, it's just an opinion) the amount of information at the moment is lacking, everything that I have read has been clear, concisive, and to the point... Good job!...

    ReplyDelete
  6. I appreciate your opinion. If you have a request of something you would like to see me write, please tell me.

    ReplyDelete
  7. Thanks for all the info, now I do understand the difference, keep up the good work!.

    ReplyDelete
  8. The best explanation I've readed about ios and cios.

    ReplyDelete
  9. Great explanation.

    Could you clarify on what a base IOS is? Waninkoko's recent rev18 release lets the user select from a list of IOSes as a base. What influences the choosing of one base compared to another?

    ReplyDelete
  10. The base IOS is just the IOS you are going to apply waninkokos rev18 code to. rev18 is basically nothing but an IOS patch. Each IOS has different modules or functions in it. For the most part though, the IOSs are almost identical. If you currently have an IOS with patches (which refers to extra or changed modules in this case) applied to it that are not in waninkokos latest release, it would be advantageous for you to choose that as your base IOS.

    Hope that helps you :)

    ReplyDelete
  11. Aah, nice one, I somewhat knew what how the IOS workes, but was unsure how they got the cIOS to work, very enlightning.

    ReplyDelete
  12. I was searching for some useful information about Wii homebrew. I never knew that Each IOS has different modules or functions in it.I thought that it is identical in all respect and also now i know how they got the cIOS to work.

    ReplyDelete
  13. More than two years after the last comment... But thanks a lot, excellent explanation!

    ReplyDelete