diff --git a/assets/battery_cutplace.jpg b/assets/battery_cutplace.jpg new file mode 100644 index 0000000..0b2bc03 Binary files /dev/null and b/assets/battery_cutplace.jpg differ diff --git a/assets/battery_normal.jpg b/assets/battery_normal.jpg new file mode 100644 index 0000000..81799bd Binary files /dev/null and b/assets/battery_normal.jpg differ diff --git a/assets/battery_opened.jpg b/assets/battery_opened.jpg new file mode 100644 index 0000000..a94e218 Binary files /dev/null and b/assets/battery_opened.jpg differ diff --git a/assets/battery_pcbbend.jpg b/assets/battery_pcbbend.jpg new file mode 100644 index 0000000..8c475e6 Binary files /dev/null and b/assets/battery_pcbbend.jpg differ diff --git a/assets/cyclodsevo.jpg b/assets/cyclodsevo.jpg new file mode 100644 index 0000000..c004890 Binary files /dev/null and b/assets/cyclodsevo.jpg differ diff --git a/assets/ez3in1.jpg b/assets/ez3in1.jpg new file mode 100644 index 0000000..32397b4 Binary files /dev/null and b/assets/ez3in1.jpg differ diff --git a/assets/nintendo_ds_lite.jpg b/assets/nintendo_ds_lite.jpg new file mode 100644 index 0000000..33cee20 Binary files /dev/null and b/assets/nintendo_ds_lite.jpg differ diff --git a/assets/s93c56scheme.png b/assets/s93c56scheme.png new file mode 100644 index 0000000..9713ec7 Binary files /dev/null and b/assets/s93c56scheme.png differ diff --git a/assets/samsung_se-t084m.jpg b/assets/samsung_se-t084m.jpg new file mode 100644 index 0000000..9c3618b Binary files /dev/null and b/assets/samsung_se-t084m.jpg differ diff --git a/know-how/hacking/_posts/2008-12-05-sony-playstation-2.md b/know-how/hacking/_posts/2008-12-05-sony-playstation-2.md new file mode 100644 index 0000000..ecfe23a --- /dev/null +++ b/know-how/hacking/_posts/2008-12-05-sony-playstation-2.md @@ -0,0 +1,20 @@ +--- +title: Sony PlayStation 2 +language: en +layout: default +created: 2008-12-05 00:31:49 +0100 +updated: 2008-12-05 00:31:49 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - sony + - playstation + - pstwo +--- + diff --git a/know-how/hacking/_posts/2009-02-02-samsung-sgh-z300.md b/know-how/hacking/_posts/2009-02-02-samsung-sgh-z300.md new file mode 100644 index 0000000..4449881 --- /dev/null +++ b/know-how/hacking/_posts/2009-02-02-samsung-sgh-z300.md @@ -0,0 +1,64 @@ +--- +title: Samsung SGH-Z300/ZM60 +language: en +layout: default +created: 2009-02-02 18:44:27 +0100 +updated: 2009-02-02 18:51:02 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - samsung + - phone +--- +I got a Samsung ZM-60 from T-Mobile (incl. SIMlock). The first shock came after switching it on for the first time: +Everything was in the T-Mobile magenta color. After some research, I found out, that it's originally a `SGH-Z300`. + + +Firmware flashing +================= + +Instructions on how to flash a new firmware are on [handy-faq.de](http://www.handy-faq.de/forum/showthread.php?t=13916). +There also was a nice collection of firmware images on [anvi.it](http://www.anvi.it/forum/index.php?showtopic=20637), +but seems to be down for now. + +The best firmware seems to be the `Z300AIEK1`, since it is only slightly branded by *TIM* (an Italian provider?) and +contains everything the original Samsung-Firmwares do. + +You can use the supplied cable to flash the phone. + +1. run the *Downloader Z300-Z500* +1. find your desired firmware file +1. power off the phone, hold the 9 key and power it on so that the outer display shows "Download" on red + background +1. initiate the transfer + +The flashing takes about 12 minutes and after that, you have the original Z300 Samsung theme. + + +SIMlock +======= + +To remove the SIMlock, there's a manual at [gsmhosting.com](http://forum.gsmhosting.com/vbb/showthread.php?t=239111). +You need the *Qualcomm Unlocker* and a PC with a `COM1:` port where you need to short the Pins #2 and #3. Then it's a +thing of 20 seconds to get rid of the SIMlock. + + +Downloading jar files +===================== + +The phone accepts `.jar` files from any server if it sends the content type `application/java-archive` instead of +`application/octet-stream`. This is easily accomplished by adding a `.htaccess` file with the line + + AddType application/java-archive .jar + +to the directory where the `.jar` files are on your server. + + +Phone identification +==================== + +The phone sends the following User-Agent to websites: + + SGH-Z300 SHP/VPP/R5 SMB3.1 SMM-MMS/1.2.0 profile/MIDP-2.0 diff --git a/know-how/hacking/_posts/2009-02-02-siemens-a55.md b/know-how/hacking/_posts/2009-02-02-siemens-a55.md new file mode 100644 index 0000000..c7b1586 --- /dev/null +++ b/know-how/hacking/_posts/2009-02-02-siemens-a55.md @@ -0,0 +1,18 @@ +--- +title: Siemens A55 +language: en +layout: default +created: 2009-02-02 22:30:48 +0100 +updated: 2009-02-02 22:30:48 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - siemens + - phone +--- +A friend visited me bringing two A55 with SIMlock. Both were from the same provider and both didn't accept the +unlocking code from the provider for some reason. After trying the usual tools without luck, we used the [testpoint method](http://www.allsiemens.com/testpoints/siemens-A55.htm). +Using very sharp tweezers, we scratched away the protective from the desired trace and cut it. Now we were able to use +*Freia* without any problems. (set to "Bootcore Bug") diff --git a/know-how/hacking/_posts/2009-02-02-siemens-gigaset.md b/know-how/hacking/_posts/2009-02-02-siemens-gigaset.md new file mode 100644 index 0000000..a79b847 --- /dev/null +++ b/know-how/hacking/_posts/2009-02-02-siemens-gigaset.md @@ -0,0 +1,69 @@ +--- +title: SIEMENS Gigaset +language: en +layout: default +created: 2009-02-02 02:15:29 +0100 +updated: 2009-02-02 22:27:14 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - siemens + - phone +--- +Service mode +============ + +Hold keys **1**, **4** and **7** while turning on the phone. You will see the display test. + + +Service menu +============ + +Power-on the phone into service mode and type `76200` (4000er series) or `46395`[^1] (2000er and 3000er series) to get +to the service menu. + +There you can check some options and on the next regular power-on, you'll see the checked infos on the display. To get +everything back to normal, repeat the procedure to uncheck these options. + + +Factory reset +============= + +Power the phone on into service mode and type `4685463` to reset the phone to factory settings - **completely**, i.e. +incl. all phonebook entries. (The normal factory reset keeps them!) + + +Phone code +========== + +If you forgot the phone code, there seem to be 2 ways: + +**1.** Get into the service menu and type: `4#`, push *OK*, `*R#R`, *OK*, `8#9*` and the red button. + +**2.** Get into the service menu, move the selection to the menu separator (`---------`) and type: `89376200`. + + +EEPROM patcher +============== + +:warning: Doesn't work for all phones! + +Get into service mode and type `337766`. This is useful to prepare older *SL74* models for MMS sending: + +1. get into the EEPROM patcher +1. Type part #1: `63508 65443 32604` and confirm with *OK* +1. Type part #2: `58644 58028 59475` and *OK* +1. power off the phone and power on again + + +Approval test +============= + +Hold **1**, **3** and **0** while powering on the phone. (**1**, **5**, **9** and **0** should also work) + +Seems to be a mode where the phone sends data all the time so that you can test radiation. + + +[^1]: Zip code of *Bocholt* where the Gigasets are/were built \ No newline at end of file diff --git a/know-how/hacking/_posts/2009-02-02-siemens-m65.md b/know-how/hacking/_posts/2009-02-02-siemens-m65.md new file mode 100644 index 0000000..0e9d7b6 --- /dev/null +++ b/know-how/hacking/_posts/2009-02-02-siemens-m65.md @@ -0,0 +1,54 @@ +--- +title: Siemens M65 +language: en +layout: default +created: 2009-02-02 21:39:52 +0100 +updated: 2009-02-02 22:26:57 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - siemens + - phone +--- +A M65 of my in-laws seemed broken so I took it home to play around with my `DCA-510`-cable. + +It showed firmware rev. 15 … the current one was rev. 58. I read somewhere that older firmware WILL produce problems so +I was glad that it might be a software problem instead of a hardware one. + + +Upgrading firmware +================== + +So I got the latest firmware from [allsiemens.com](http://www.allsiemens.com/flash/M65.htm) and tried to flash the +phone. Damn! The M65 was from Vodafone and thus the ID was `M6V` instead of `M65`. Since I hate brandings, I needed a +way to change that value. + +After some experiments I found instructions at [gsm-multifund.de](http://www.gsm-multifund.de/board/showthread.php?t=8864) +(which seems to be offline now). + +I needed *[x65flasher](http://www.allsiemens.com/soft/flashers-1.htm)* and since I updated the phone to [M6V v50](http://www.allsiemens.com/flash/M6V.htm) +before, I needed the supplied Java-Midlet `px75v1` to calculate the Hash and ESN for my phone. This needed around 3-5 +minutes. After that, I was able to download a backup of the phone's firmware and then chose *Advanced* → *Change phone +model* to change it to `M65`. After writing it back to the phone, I did a *FFSinit* (see allsiemens.com) and was +finally able to flash the rev. 58 using *WinSwup*. + +Also a nice page with many tips and instructions: [gsm-free.com](http://www.gsm-free.com/index.htm). + + +Patching the firmware +===================== + +You can use [Smelter](http://www.allsiemens.com/soft/flashers-1.htm) to generate a list with possible patches for the +supplied firmware file which you can then apply using [V_KLay](http://www.allsiemens.com/soft/flashers-2.htm). There +are patches to e.g. disable some debugging (which makes the phone a bit faster) or enable the network monitor +(aka. *Develop. setup*) in the "My Menu". + + +Internal Filesystem +=================== + +If you want to get rid of the "Load games", "Load Ringtones", etc. menus, just use the [VSOFS-Plugin](http://www.totalcmd.net/plugring/vsofs.html) +for [Total Commander](http://www.ghisler.com/) to delete the file `\\M65\Config\Default\MagicLinks\MagicLinks.xml` and +the directory on the phone. diff --git a/know-how/hacking/_posts/2009-02-02-teac-mp380.md b/know-how/hacking/_posts/2009-02-02-teac-mp380.md new file mode 100644 index 0000000..4b12d05 --- /dev/null +++ b/know-how/hacking/_posts/2009-02-02-teac-mp380.md @@ -0,0 +1,47 @@ +--- +title: TEAC MP-380 / entryx EM850 +language: en +layout: default +created: 2009-02-02 22:49:04 +0100 +updated: 2009-02-02 22:49:04 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - teac + - entryx + - mp3player +--- +A local discounter offered a MP4-player *[entryx EM850](http://www.entryx.de/deutsch/produkte/mp3player/2gb_mediaplayer_mp3.html)* +some time ago. The supplied firmware has some severe problems, e.g. the devices powers off while playing without touching it. + +After some research, I found some thread at [discountfan.de](http://www.discountfan.de/forumneu/read.php?8,161599,162423) +which mentions that the device is originally built by [YIFANG](http://www.yifangdigital.com/Product/EM850.htm) and is +OEM'ed as [Meizu M6](http://en.wikipedia.org/wiki/M6_Mini_Player) or [TEAC MP-380](http://www.teac-shop.de/product_info.php/info/p151_MP-380-2GB-Flash-MP3-Player.html). + +The TEAC firmware is brand new and thus fixes the problems of the entryx version. Since you can't download the firmware +from the TEAC homepage, you have to get it from [rapidshare.com](http://rapidshare.com/files/49786276/TEM850RB_PCB1.4_002_1.7.17_new.rar.html). + +All other files you can get directly from YIFANG: On the [download page](http://rapidshare.com/files/49786276/TEM850RB_PCB1.4_002_1.7.17_new.rar.html) +further down you'll find a [EM850RB driver package](http://www.yifangdigital.com/download/driver/audio/em850rb.rar) +which also contains the firmware-updater and drivers for the Rock-chip (both contained in the *ConsumerUpdate* inside +the RAR archive). You have to unpack the ConsumerUpdate and install it. + +Now do the following: + +1. unplug the MP4-player from your PC +1. hold the M key while plugging it in and hold the M key for some more seconds + * the PC should show a new device and ask for drivers +1. choose manually selection of drivers and point it to the directory where you installed the ConsumerUpdate to +1. when the drivers are installed, run the `Consumer.exe` (for English language, change the `Consumer.ini` and set + `UILanguage` to `ENG` instead of `CH_S`) +1. choose the firmware file (`.rfw`) and click on *Update* +1. 3 minutes later, everything should be done, exit the Updater +1. unplug the device and power it on + * the upgrade should be launched + +After the upgrade completed, you might have to format the internal storage for the player to recognize it. + +Some little bonus: After the upgrade, you'll find a Tetris game as well as a FM-Tuner. But the latter one doesn't have +any reception - maybe they didn't add an antenna, although the IC would support it. diff --git a/know-how/hacking/_posts/2009-02-02-zyxel-660hw67.md b/know-how/hacking/_posts/2009-02-02-zyxel-660hw67.md new file mode 100644 index 0000000..5eaaa2e --- /dev/null +++ b/know-how/hacking/_posts/2009-02-02-zyxel-660hw67.md @@ -0,0 +1,39 @@ +--- +title: ZyXEL Prestige 660HW-67 +language: en +layout: default +created: 2009-02-02 20:55:24 +0100 +updated: 2009-02-02 20:55:24 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - zyxel + - prestige + - router +--- +The 660HW-67 was distributed in Germany as the "WLAN Modem 100" through the Arcor ISP. It came with the firmware `QD.7` +which seems to be originally made for AOL. + +To get the router ready for ADSL2+, I needed the `QQ.7` firmware which is the original one. + + +Firmware crossgrade +=================== + +**Manual:** [dslrouter-hilfe.de](http://www.dslrouter-hilfe.de/forum/showthread.php?t=16411) + +The big problem is that the `rom-0` of the original firmware is 48 KiB whereas that of the AOL firmware is only +*16 KiB*. Usually, you make an upgrade by updating the `rom-0` file (which contains default settings) and then update +the firmware itself which then reads the new default settings upon the next boot. Since the router didn't accept the +new settings, it stuck after the reboot. + +This is how it works (using the serial connector on the PCB and a terminal program): + +1. upload the new firmware file completely + * the router will complain that the `rom-0` doesn't match and ask you to upload a new firmware +1. upload the new firmware again but cancel the upload after about 600 KiB (~12 min at 9600 baud) + * the router will boot into a debug mode +1. upload the new `rom-0` file +1. upload the new firmware file diff --git a/know-how/hacking/_posts/2009-03-10-nintendo-ds.md b/know-how/hacking/_posts/2009-03-10-nintendo-ds.md new file mode 100644 index 0000000..7dcd651 --- /dev/null +++ b/know-how/hacking/_posts/2009-03-10-nintendo-ds.md @@ -0,0 +1,32 @@ +--- +title: Nintendo DS +language: en +layout: default +created: 2009-03-10 00:43:19 +0100 +updated: 2009-03-10 01:13:42 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +(DS = Dual Screen) + +![]({{ site.url }}/assets/nintendo_ds_lite.jpg) + + + +* also see: [Nintendo Wii]({% post_url 2009-03-10-nintendo-wii %}) + + +Links +===== + +* [Nintendo DS homebrew](http://en.wikipedia.org/wiki/Nintendo_DS_homebrew) +* [Hacking Nintendo DS](http://doc.kodewerx.org/hacking_nds.html) --- list of ActionReplay code structure and some generic assembler codes diff --git a/know-how/hacking/_posts/2009-03-10-nintendo-wii.md b/know-how/hacking/_posts/2009-03-10-nintendo-wii.md new file mode 100644 index 0000000..0e1583c --- /dev/null +++ b/know-how/hacking/_posts/2009-03-10-nintendo-wii.md @@ -0,0 +1,28 @@ +--- +title: Nintendo DS +language: en +layout: default +created: 2009-03-10 00:43:19 +0100 +updated: 2009-03-10 01:13:42 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- + + +* also see: [Nintendo DS]({% post_url 2009-03-10-nintendo-ds %}) + + +Links +===== + +* [The Homebrew Channel](http://hbc.hackmii.com/) +* [WiiBrew Wiki](http://wiibrew.org/wiki/Main_Page) diff --git a/know-how/hacking/_posts/2009-05-16-msi-rg54se.md b/know-how/hacking/_posts/2009-05-16-msi-rg54se.md new file mode 100644 index 0000000..7d54612 --- /dev/null +++ b/know-how/hacking/_posts/2009-05-16-msi-rg54se.md @@ -0,0 +1,23 @@ +--- +title: MSI RG54SE +language: en +layout: default +created: 2009-05-16 22:20:01 +0200 +updated: 2009-05-16 22:20:01 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - msi + - router +--- +Sold under following names: + +* CC&C WA-2204A +* Blanc BW54R11 +* Bluecomm WA-2204A +* Canyon WF514v2 +* GigaFast WF719-CAPR +* ZCOMAX WA-2204A +* Zonet ZSR1114WE diff --git a/know-how/hacking/_posts/2009-10-26-samsung-se-t084m.md b/know-how/hacking/_posts/2009-10-26-samsung-se-t084m.md new file mode 100644 index 0000000..4ba0b91 --- /dev/null +++ b/know-how/hacking/_posts/2009-10-26-samsung-se-t084m.md @@ -0,0 +1,46 @@ +--- +title: Samsung SE-T084M +language: en +layout: default +created: 2009-05-15 15:59:19 +0200 +updated: 2009-10-26 21:41:59 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - samsung + - drive +--- +The SE-T084M is an external USB burner with everything but BluRay burning. + +![]({{ site.url }}/assets/samsung_se-t084m.jpg) + + +Firmware +======== + +* there are different models - some with *TruDirect*, some without +* the *TruDirect* models have firmwares `TD00`..`TD02` +* the non-TruDirect models have firmwares `TS00`..`TS02` +* [US firmware downloads](http://www.samsung.com/us/support/download/supportDown.do?group=&type=opticaldiscdrives&subtype=dvdwriter&model_nm=SE-T084M&language=&cate_type=all&dType=D&mType=FM&vType=&prd_ia_cd=05050500&disp_nm=SE-T084M&model_cd=&menu=download) *old Tx00 version* +* [Samsung Optical Disc Drive Division](http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=614&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=) *latest TD02 veresion* + + +RPC1 +==== + +*RPC1* means removing the region code or region-switching lock from the drive. Normally the DVD drive is set to your +region (1..5) so that you can only play DVDs from your region. You can change this region 5 times with the last change +being permanently. + +RPC1 means removing this limit. Also you can sometimes set your drive to region code **0** which will allow you to play +DVDs of any region. + +You can enable *RPC1* by using [MCSE](http://forum.rpc1.org/viewtopic.php?f=2&t=41228&st=0&sk=t&sd=a&start=125). + +

+Windows XP will continue to show a *X changes left* in the region settings. But this is a software lock. Open *RegEdit* +and go to `HKEY_LOCAL_MACHINE\Software\Microsoft`. There you'll find a key with strange characters (something like `';t-z%`) +which contains a single REG_QWORD value. Delete the whole key and you'll be back at *5 changes left*. +

diff --git a/know-how/hacking/_posts/2010-01-11-sony-psp.md b/know-how/hacking/_posts/2010-01-11-sony-psp.md new file mode 100644 index 0000000..e42da87 --- /dev/null +++ b/know-how/hacking/_posts/2010-01-11-sony-psp.md @@ -0,0 +1,188 @@ +--- +title: SONY PlayStation Portable +language: en +layout: default +created: 2010-01-08 08:47:41 +0100 +updated: 2010-01-11 21:39:20 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - sony + - playstation + - psp +--- +* **Model:** PSP Slim (PSP-2004) +* **Battery:** PSP-S110 + +

+Please note that these things only work for PSP-1xxx and PSP-2xxx with a date code (found behind battery!) of `8B` or +less. If you have a newer PSP or a PSP-3xxx, you will most likely have a **TA-88v3** mainboard and destroy it by trying +the things described here. +

+ + +PSP-S110 Pandora Battery +======================== + +* + +The original shipped battery of type `PSP-S110` can be made a Pandora-battery which enables developer features on the PSP. + + +Opening the battery +------------------- + +![]({{ site.url }}/assets/battery_normal.jpg) + +The housing of the battery is glued together around the side. **DO NOT TRY TO OPEN IT WITH A SCREWDRIVER** as you can +easily produce shorts which may even make the battery explode or destroy it forever. + +The best way is to use your fingernails and a stronger guitar pick (or something else non-conducting material). + +After opening, it will look like this: + +![]({{ site.url }}/assets/battery_opened.jpg) + +Now carefully bend over the PCB. + +![]({{ site.url }}/assets/battery_pcbbend.jpg) + + +Identify target +--------------- + +Identify the small 8-pin IC with the label `S93C56` near the **`IC04`** printed on the PCB - this is an EEPROM which +holds information about the battery. We want to stop it sending that information to the PSP. + +Looking at a [data sheet](http://www.alldatasheet.com/view.jsp?sSearchword=S93C56), we will find this picture: + +![]({{ site.url }}/assets/s93c56scheme.png) + +Now there are 2 ways to interfere: We can disconnect the `CS` pin which indicates when a new command is about to be +sent to the IC or we can short the `DO` (data output) pin to `Vcc` so that there will be no readable output from the IC. + +If you regularly need a Pandora battery, you can even solder a switch instead of cutting/shorting the points. + +### Disconnect CS + +* + +The CS line is used to tell the EEPROM when it has to listen for commands. By cutting this line, the EEPROM won't be +able to work anymore and thus you will have a Pandora battery. If you do it right, then you can undo the cut with a +normal pencil (the lead in the pencil is conductive). + +Find the line with the **`19`** printed nearby. It is the one going from the top right pin of the IC. Use a razor knife +to cut it at this point (marked red): + +![]({{ site.url }}/assets/battery_cutplace.jpg) + +That was it! Just assemble everything back and use some adhesive tape to hold the battery together. If you put it into +your PSP (with AC adaptor unplugged), the green *Power*-LED should automatically turn on without doing anything else. + +Congratulations. You now have a Pandora battery. + +

+If you want to make it a normal battery later, use a lead pencil and draw along the cut a few times. Check that the PSP +doesn't turn on when inserting the battery. If everything works as you want, you can also glue the battery together again. +

+ + +### Short DO and VCC + +* + + +Magic MemoryStick +================= + +A *Magic MemoryStick* contains a special boot-code which provides means to update the firmware of the PSP. There are +different tools to create one: + +* [Ultimate Pandora Magic Stick](http://www.psp-hacks.com/file/1326) +* [TotalNewbi Installer](http://www.megaupload.com/?d=gvzi5ne4) +* [PSPGrader v008](http://pspslimhacks.com/psp-grader-v008/) +* [Rain's UltraLite MMS Maker](http://pspslimhacks.com/rains-ultralite-mms-maker-for-500-m33-4/) + +These are all mostly self-explanatory. + +After some playing around with my 120MB *MemoryStick Duo* without luck, I came to the conclusion, that you **really need +a *Pro Duo*** for this thing to work. The limit for sticks up to 2GB is gone. You can use any stick - mine was a *8GB +MemoryStick Pro Duo Mark 2*. Be sure to backup all files first. + +Using *PSPGrader* and *Rain's UltraLite MMS Maker* didn't work in the first place (tried both with the *Format +MemoryStick* option). The latter one gave the *["IPL failed to inject"](http://www.psp-hacks.com/forums/archive/index.php/t-232186.html)* +error. I then used the `mspformat.exe` from the *TotalNewbi Installer* to format the USB stick. After that, using +*Rain's* (without the *Format* option checked) finally worked and I had a *Magic MemoryStick*. + + +Using the Magic MemoryStick +--------------------------- + +To make the PSP load the custom file from the MemoryStick, you have two options: + +1. without the MemoryStick in the slot and without AC adapter plugged, put the Pandora battery into +1. the green *Power*-LED should turn on, anything other stays off +1. hold the L shoulder button while inserting the MMS +1. now the *WIFI*- and *M*-LEDs should flicker and boot the file + +you can also do it the other way around: + +1. without AC adapter plugged and without battery inserted, put the MMS into the slot +1. hold the L shoulder button while inserting the Pandora battery +1. the green *Power*-LED should turn on and the *WLAN*- and *M*-LEDs should start to flicker + +If only the green *Power*-LED comes on with none of the other LEDs flickering, your Magic MemoryStick mostly doesn't +work. In some rare cases you might have a PSP with the newer mainboard (TA-88v3). Find out [here](http://www.dcemu.co.uk/vbulletin/showthread.php?t=183671). +You might also try [this](http://www.qj.net/psp/homebrew-applications/dark-alex-releases-ta-088v3-identifier-find-out-if-your-psp-is-unhackable.html). + + +Flashing custom firmware +======================== + +* +* +* [Team GEN Forums](http://www.pspgen.com/forums/) (mostly French, but one is English) +* [List of all CFWs incl. some background info](http://alek.dark-alex.org/pspwiki/index.php/Custom_Firmwares) + +After using the MMS and selecting the first option *Flash install 5.00M33-4*, you will have *Dark Alex*'s firmware on +your PSP. Upgrade it to the latest version by following the steps [here](http://www.atmaxplorer.com/2008/10/psp-custom-firmware-500-m33-is-released/2/). +Just download the *5.00 M33-5*, install it as described there then do the same with the *5.00 M33-6*. + +Now you have the choice of switching over to *Team GEN*'s firmware which should support all the latest games. To do +this, use the *XGen Updater* as described [here](http://www.atmaxplorer.com/2009/12/install-psp-custom-firmware-5-50-gen-d3/). +The firmware file is also available [here](http://www.psp-hacks.com/file/1873). Newer versions can then be found in the +Downloads section of [psp-hacks.com](http://www.psp-hacks.com/category/39). + +

+**ATTENTION!** If you have problems with corrupted savegames or UMD titles not starting, please use the [5.50GEN-D2 Quick Updater](http://dl.qj.net/psp/homebrew-applications/cfw-550gen-d2-quick-updater.html) +to downgrade to that version until 5.50GEN-D4 is out. You might also try [these steps](http://www.pspgen.com/forums/interesting-tidbit-for-those-haveing-trouble-t192838.html) +before doing the downgrade. + +If you don't have a backup of your saves, try [this](http://www.maxconsole.net/forums/showpost.php?s=a3670fea1205db04755ba1c6f42f65aa&p=1122026&postcount=3) +to possibly recover them. +

+ + +Backup your games +================= + +* +* + +After you made a backup, copy the resulting `ISO` file into a folder `ISO` on your PSP's MemoryStick. It will then +appear in the game menu under *MemoryStick*. + + +Homebrew Apps +============= + +* [CWCheat System](http://cwcheat.consoleworld.org/index.php) + + +Links +===== + +* +* diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-15-backup-savegames.md b/know-how/hacking/nintendo-ds/_posts/2009-03-15-backup-savegames.md new file mode 100644 index 0000000..b404f30 --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-15-backup-savegames.md @@ -0,0 +1,48 @@ +--- +title: Backup Savegames on Nintendo DS +language: en +layout: default +created: 2009-03-15 14:34:37 +0100 +updated: 2009-03-15 22:16:40 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +To backup savegames from your cartridges (e.g. for use with a ROM dump on a card like the +[CycloDS Evolution]({% post_url 2009-03-22-cyclods-evolution %})) there are two ways. + + +EZFlash 3in1 method +=================== + +You'll need a Slot1-homebrew launcher (like the [CycloDS]({% post_url 2009-03-22-cyclods-evolution %})) and the [EZFlash 3in1]({% post_url 2009-03-15-ezflash-3in1 %}) +Slot2-Flash-Expansion (*EZFlash Plus* might not work!). + +1. Download and install (on your microSD) the *NDS Backup Tool 3in1* from [Rudolph](http://www009.upp.so-net.ne.jp/rudolph/nds/Backup/) +1. Make sure the EZFlash 3in1 is in your Slot2 and the CycloDS containing the card with the *NDS Backup Tool* is in Slot1 +1. Launch CycloDS and use it to run the backup tool +1. Make sure you are in the **Save Backup** mode (if not, press L until you are) +1. Press B to create a new savegame dump +1. You are prompted to remove the current Slot1 card (CycloDS) and put in the card of the game … do so! +1. Press A when ready +1. Now the savegame data will be copied to the Flash of the EZFlash 3in1 card +1. You are prompted to turn off the DS and re-run the *NDS Backup Tool* +1. Turn off the NDS (or press A), remove the game cartridge and insert the CycloDS cartridge again +1. When loading CycloDS, hold L-R to automagically re-run the backup tool +1. Confirm the copy process by pressing A +1. Now the savegame data will be copied from the EZFlash to your microSDHC card +1. You're done. The savegame will be in a folder `/NDS_Backup/` on your microSDHC card. +1. (You might have to rename the savegame file to the same name as the backup ROM of the game.) + + +Wi-Fi method +============ + +I did not test this method, but it needs a working Wi-Fi-connection from your NDS to your Access Point and some PC in +your network. You'll have to setup a FTP server. Download the *NDS Backup Tool WiFi* from [Rudolph](http://www009.upp.so-net.ne.jp/rudolph/nds/Backup/), +unpack to your microSD and modify the file `NDS_Backup_Tool_Wifi.ini` and enter the IP, Port, Username and Password of +your FTP server. The rest of the process should be similar to the above (despite of the switching cartridges). diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-15-ezflash-3in1.md b/know-how/hacking/nintendo-ds/_posts/2009-03-15-ezflash-3in1.md new file mode 100644 index 0000000..61290fb --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-15-ezflash-3in1.md @@ -0,0 +1,35 @@ +--- +title: EZFlash 3in1 +language: en +layout: default +created: 2009-03-15 15:49:39 +0100 +updated: 2009-03-15 22:17:41 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- + + +* **Homepage:** [ezflash.cn](http://www.ezflash.cn/home.htm) +* **Detailed specs:** [gbatemp.net](http://wiki.gbatemp.net/wiki/index.php/3_in_1_Expansion_Pack_for_EZ-Flash_V) +* **Specs and some tutorials:** [cyclods.theta.in](http://cyclods.theta.in/wiki/EZFlash_V_3-in-1) + + +The EZFlash 3in1 is a GBA-cartridge for the Slot2 of the NDS which provides the following features: + +* RAM expansion (e.g. for *DS Opera Browser*) +* Rumble pack +* 32 MiB Flash memory +* 16 MiB SRAM +* 512 KiB battery powered SRAM for savegame data + + +*[DS]: Dual Screen +*[RAM]: Random Access Memory +*[NDS]: Nintendo Dual Screen +*[GBA]: Nintendo GameBoy Advance +*[SRAM]: Static Random Access Memory diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-15-wii-downloads.md b/know-how/hacking/nintendo-ds/_posts/2009-03-15-wii-downloads.md new file mode 100644 index 0000000..5de6416 --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-15-wii-downloads.md @@ -0,0 +1,23 @@ +--- +title: Wii Downloads +language: en +layout: default +created: 2009-03-10 00:51:47 +0100 +updated: 2009-03-15 22:18:54 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +The *Nintendo Channel* on the [Nintendo Wii]({% post_url 2009-03-10-nintendo-wii %}) allows you to download Demo +versions of NDS games right to your NDS to play. Just do the following: + +1. go to the *Nintendo Channel* +1. go to the video overview +1. click "Categories" on top +1. select **DS Download Service** +1. just select a game, wait for it to download +1. follow the on-screen instructions diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-16-ndstool.md b/know-how/hacking/nintendo-ds/_posts/2009-03-16-ndstool.md new file mode 100644 index 0000000..9ba6fd0 --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-16-ndstool.md @@ -0,0 +1,137 @@ +--- +title: ndstool +language: en +layout: default +created: 2009-03-16 00:48:30 +0100 +updated: 2009-03-16 00:48:30 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +The `ndstool` can show header information of ROM files as well as extract the game logo or even the whole ROM contents. +It also can recombine the extracted ROM contents to a working ROM again. + +* **Homepage:** [darkfader.net](http://darkfader.net/ds/) (scroll down to *DS development tools*) +* **Blog:** [ndsdev.blogspot.com](http://ndsdev.blogspot.com/) +* **SVN:** [devkitpro.svn.sourceforge.net](http://devkitpro.svn.sourceforge.net/viewvc/devkitpro/trunk/tools/nds/ndstool/) +* **Linux binary:** [codinglab.blogspot.com](http://codinglab.blogspot.com/2007/07/nintendo-ds-homebrew-under-linux-ubuntu.html) +* **Python clone:** [jmoiron.net](http://dev.jmoiron.net/rom-seimei/) (limited functionality, but does UTF8) + + +Example output +============== + +This is from the Linux binary (see above): + +~~~ +Nintendo DS rom tool 1.36 - Jul 31 2007 23:26:46 +by Rafael Vuijk, Dave Murphy, Alexei Karpenko +Header information: +0x00 Game title BANDBROS DX +0x0C Game code AXBJ (NTR-AXBJ-JPN) +0x10 Maker code 01 (Nintendo) +0x12 Unit code 0x00 +0x13 Device type 0x00 +0x14 Device capacity 0x09 (512 Mbit) +0x15 reserved 1 000000000000000000 +0x1E ROM version 0x00 +0x1F reserved 2 0x00 +0x20 ARM9 ROM offset 0x4000 +0x24 ARM9 entry address 0x2000800 +0x28 ARM9 RAM address 0x2000000 +0x2C ARM9 code size 0xADBB4 +0x30 ARM7 ROM offset 0x172000 +0x34 ARM7 entry address 0x2380000 +0x38 ARM7 RAM address 0x2380000 +0x3C ARM7 code size 0x26F28 +0x40 File name table offset 0x198F28 +0x44 File name table size 0xBFF1 +0x48 FAT offset 0x1A4F1C +0x4C FAT size 0x4BA8 +0x50 ARM9 overlay offset 0xB1BC0 +0x54 ARM9 overlay size 0x2E0 +0x58 ARM7 overlay offset 0x0 +0x5C ARM7 overlay size 0x0 +0x60 ROM control info 1 0x00416657 +0x64 ROM control info 2 0x081808F8 +0x68 Icon/title offset 0x1A9C00 +0x6C Secure area CRC 0xD9F8 (OK, decrypted) +0x6E ROM control info 3 0x0D7E +0x70 ARM9 ? 0x2000AAC +0x74 ARM7 ? 0x2380188 +0x78 Magic 1 0x00000000 +0x7C Magic 2 0x00000000 +0x80 Application end offset 0x036DF558 +0x84 ROM header size 0x00004000 +0x88 ? 0x00004BA0 +0x15C Logo CRC 0xCF56 (OK) +0x15E Header CRC 0xF657 (OK) + +Banner CRC: 0x2934 (OK) +English banner text, line 1: _______ +English banner text, line 2: ________DX +English banner text, line 3: Nintendo + +ARM9 footer found. + +Security data CRC (0x1000-0x2FFF) 0x6FFF +Segment3 CRC (0x3000-0x3FFF) 0x0000 (INVALID) +~~~ + +This is from the Python version: + +~~~ +Header Information: +0x00 Game title BANDBROS DX +0x0C Game code AXBJ (NTR-AXBJ-JPN) +0x10 Maker code 01 (Nintendo) +0x12 Unit code 0x00 +0x13 Device type 0x00 +0x14 Device capacity 0x09 (512 Mbit) +0x15 Reserved 1 000000000000000000 +0x1E ROM Version 0x00 +0x1F Reserved 2 0x00 +0x20 ARM9 ROM offset 0x4000 +0x24 ARM9 entry address 0x2000800 +0x28 ARM9 RAM address 0x2000000 +0x2C ARM9 code size 0xADBB4 +0x30 ARM7 ROM offset 0x172000 +0x34 ARM9 entry address 0x2000800 +0x38 ARM7 RAM address 0x2380000 +0x3C ARM7 code size 0x26F28 +0x40 File name table offset 0x198F28 +0x44 File name table size 0xBFF1 +0x48 FAT offset 0x1A4F1C +0x4C FAT size 0x4BA8 +0x50 ARM9 overlay offset 0xB1BC0 +0x54 ARM9 overlay size 0x2E0 +0x58 ARM7 overlay offset 0x00 +0x5C ARM7 overlay size 0x00 +0x60 ROM control info 1 0x00416657 +0x64 ROM control info 2 0x081808F8 +0x6E ROM control info 3 0x0D7E +0x68 Icon/Title offset 0x1A9C00 +0x6C Secure area CRC 0xD9F8 (OK, decrypted) +0x70 ARM9? 0x02000AAC +0x74 ARM7? 0x02380188 +0x78 Magic 1 0x00000000 +0x7C Magic 2 0x00000000 +0x80 Application end offset 0x036DF558 +0x84 ROM header size 0x00004000 +0x15C Logo CRC 0xCF56 (OK) +0x15E Header CRC 0xF657 (OK) + +Banner CRC: 0x2934 (OK) +Japanese banner text, line 1: だいがっそう! +Japanese banner text, line 2: バンドブラザーズDX +Japanese banner text, line 3: Nintendo + +ARM9 footer found. + +Security data CRC (0x1000-0x2FFF) 0x6FFF +Segment3 CRC (0x3000-0x3FFF) (NYI) +~~~ diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-17-extract-sound.md b/know-how/hacking/nintendo-ds/_posts/2009-03-17-extract-sound.md new file mode 100644 index 0000000..8ceb909 --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-17-extract-sound.md @@ -0,0 +1,28 @@ +--- +title: Extract Sound from ROMs +language: en +layout: default +created: 2009-03-17 20:41:05 +0100 +updated: 2009-03-17 20:41:05 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +To extract sounds (or graphics) from a ROM, you'll need the [ndstool]({% post_url 2009-03-16-ndstool %}) +and [ndssndext](http://www.4shared.com/file/68276816/8092229e/ndssndext_v04.html). + +First extract the game data from ROM: + + ndstool -x -d data .nds + +This will create a new directory `data` containing all the game data. In there you'll most probably find a file `*.sdat` +somewhere. This is a sound archive format. Now run this through the `ndssndext` (I had to use *WinE*): + + wine ndssndext.exe sound_data.sdat + +This creates a new folder which contains more folders with the actual contents from the `.sdat`-file. These can be MIDI +files and/or (converted) WAV files. diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-22-cyclods-evolution.md b/know-how/hacking/nintendo-ds/_posts/2009-03-22-cyclods-evolution.md new file mode 100644 index 0000000..31a2e58 --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-22-cyclods-evolution.md @@ -0,0 +1,42 @@ +--- +title: CycloDS Evolution +language: en +layout: default +created: 2009-03-10 01:04:17 +0100 +updated: 2009-03-22 13:01:57 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- + + +* **Homepage:** [cyclopsds.com](http://www.cyclopsds.com/) +* **Firmware:** [cyclopsds.com](http://www.cyclopsds.com/cgi-bin/cyclods/engine.pl?page=support) +* **Comparison:** [joystiq.com](http://nintendo.joystiq.com/2008/05/20/ds-fanboys-semi-ultimate-homebrew-guide/) +* **Review:** [gameboy-advance.net](http://www.gameboy-advance.net/ds-lite/cyclods.htm) +* **Buy one:** [chipmonkey.de](http://chipmonkey.de/) (Germany) + +The *CycloDS Evolution* is a cartridge for the NDS which adds homebrew capabilities. You can then run various homebrewed +titles from a miniSDHC card on the NDS. You can even play [backups of your own games]({% post_url 2009-03-23-dump-games %}) +and thus take them all with you in a single cartridge. + + +Cheats Database +=============== + +The CycloDS Evo supports ActionReplay(tm) compatible cheat codes. The *Evolution Tools* (downloadable on their [Support page](http://www.cyclopsds.com/cgi-bin/cyclods/engine.pl?page=support)) +supports downloading cheats from [codejunkies.com](http://codejunkies.com). After the processing is done, you get a +~600 KiB `user.evoCheats` file. + +According to the [forums](http://www.teamcyclops.com/forum/showthread.php?t=1580), `codejunkies.com` is missing several +cheats for newer games, so you might want to download the database from [gbatemp.net](http://cheats.gbatemp.net/) which +is ~1,7 MiB. There's even a direct link to the latest version of the file: + +* + +You might also want to trim your `default.evoCheats` file down to 0 Bytes and make it read-only so that only the newer +cheats database is used. diff --git a/know-how/hacking/nintendo-ds/_posts/2009-03-23-dump-games.md b/know-how/hacking/nintendo-ds/_posts/2009-03-23-dump-games.md new file mode 100644 index 0000000..fef36ca --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-03-23-dump-games.md @@ -0,0 +1,59 @@ +--- +title: Dump Games +language: en +layout: default +created: 2009-03-15 14:41:43 +0100 +updated: 2009-03-23 01:04:47 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +Dumping game cartridges is done the same way like [dumping savegames]({% post_url 2009-03-15-backup-savegames %}). + + +EZFlash 3in1 method +=================== + +The only difference here is that you might have to swap the cartridges more often since the Flash memory of the [EZFlash 3in1]({% post_url 2009-03-15-ezflash-3in1 %}) +is only 32 MiB and some games are up to 128 MiB in size. + +There's a nice tutorial with pictures at [monroeworld.com](http://www.monroeworld.com/myfaq/index.php?action=artikel&cat=7&id=129&artlang=en). + +Here are some estimated times for dumping different sized game cartridges (copied from that page): + +| Game size | Number of passes | est. time needed | +|----------:|:-----------------|-----------------:| +| 4 MiB | 1 pass | 2min 30sec | +| 8 MiB | 1 pass | 3min 15sec | +| 16 MiB | 1 pass | 4min 45sec | +| 32 MiB | 1 pass | 9min 30sec | +| 64 MiB | 2 passes | 14min 15sec | +| 128 MiB | 4 passes | 19min 00sec | +| 256 MiB | 8 passes | 38min 00sec | + + +Wi-Fi method +============ + +Be warned that the Wi-Fi transfer speed is somewhat "limited". Dumping a 128 MiB game takes almost **2 hours**. So make +sure your NDS is connected to its power adaptor. + + +ROM Trimming +============ + +Game cartridges have the typical memory ICs in binary sizes (8, 16, 32, 64, 128, 256 MiB) although the game often +doesn't occupy the whole memory. That means if a game is 35 MiB in size, it is shipped on a 64 MiB cartridge. When +dumping, you'll dump the whole 64 MiB although the last 29 MiB are empty (filled with `0x00`). So you can save a lot of +space if you trim a ROM down to the real size. + +

+Games which use the WiFi feature mostly store their connection info in this empty space so using the wrong program to trim a ROM will break online capability of games. +

+ +A good trimmer is [NDSTokyoTrim](http://techsuki.net/nintendo-ds-rom-trimmer/) which can detect WiFi-games and leaves +the space for their settings. diff --git a/know-how/hacking/nintendo-ds/_posts/2009-10-28-favourite-games.md b/know-how/hacking/nintendo-ds/_posts/2009-10-28-favourite-games.md new file mode 100644 index 0000000..9ba2a45 --- /dev/null +++ b/know-how/hacking/nintendo-ds/_posts/2009-10-28-favourite-games.md @@ -0,0 +1,24 @@ +--- +title: Favourite NDS Games +language: en +layout: default +created: 2009-03-23 00:34:05 +0100 +updated: 2009-10-28 02:04:10 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - gaming +--- +Here's a list of my favorite games: + +| Game | Genre | Comment | +|:---------------|:---------:|:-------------------------------| +| Rittai Picross | Puzzle | very addictive | +| Time Hollow | Adventure | great story, great soundtrack | +| Another Code | Adventure | almost as great as Time Hollow | +| Korg DS-10 | Music | | +| Crosswords DS | Puzzle | | +| Picross | Puzzle | | diff --git a/know-how/hacking/nintendo-wii/_posts/2008-07-18-twilight-hack.md b/know-how/hacking/nintendo-wii/_posts/2008-07-18-twilight-hack.md new file mode 100644 index 0000000..a1f7907 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2008-07-18-twilight-hack.md @@ -0,0 +1,26 @@ +--- +title: Wii Twilight Hack +language: en +layout: default +created: 2008-07-18 22:44:40 +0200 +updated: 2008-07-18 22:44:40 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +The Twilight Hack is described at [Code Retard](http://www.coderetard.com/2008/05/07/install-wii-virtual-console-game-channels-with-wad-installer/). +It works by using a bug in *Zelda - Twilight Princess*. In short is goes like this: + +1. get [WAD Installer 2.1](http://www.coderetard.com/wp-content/uploads/2008/05/wad-installer_v21.zip) and copy the + `wad-installer.elf` to the root directory of your SD-card and name it `boot.elf` +1. get the [Twilight Hack Beta](http://www.coderetard.com/wp-content/uploads/2008/06/twilight-hack-v01-beta1.zip) (for + the Wii 3.3 firmware) and copy the `rzdp.bin` as `data.bin` to `/private/wii/title/RZDP` (P for PAL). +1. copy all wanted games (`*.wad`-files) to a directory `/wad` on your SD card (4MiB ~ 59 blocks) +1. get *Zelda - Twilight Princess*, run it at least once on your Wii to create the savegame slot +1. insert SD card, delete savegame on your Wii and copy the Twilight Hack savegame from your SD card +1. now run *Zelda*, load game, walk towards the guy and talk to him +1. the screen goes black and shows the WAD Installer which installs all files found in `/wad` diff --git a/know-how/hacking/nintendo-wii/_posts/2008-07-23-savegame-editing.md b/know-how/hacking/nintendo-wii/_posts/2008-07-23-savegame-editing.md new file mode 100644 index 0000000..ee35580 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2008-07-23-savegame-editing.md @@ -0,0 +1,27 @@ +--- +title: Wii Savegame Editing +language: en +layout: default +created: 2008-07-23 21:31:36 +0200 +updated: 2008-07-23 21:31:58 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +Savegames, as well as almost all other files, are encrypted using some crypto magic. The keys were found and now there +are some tools to decrypt and recrypt the savegames called [Segher's Wii.git](http://wiibrew.org/wiki/Segher's_Wii.git). + +To compile them, you need to also compile OpenSSL, add the `include`-directory of OpenSSL to the search path for gcc and +also point the `ld` to the compiled libcrypto.a. + +After that, find the 3 interesting keys on [HackMii](http://hackmii.com/2008/04/keys-keys-keys/), which are `md5-blanker`, +`sd-iv` and `sd-key`. + +Create a directory `~/.wii` and put the 3 keys in ***binary*** form in there. (No text file with the values as numbers +and letters but binary files with exactly 16 Bytes per file. Use `ghex2` or such.) + +If everything is correct, you can uncompress savegames data.bin using `tachtig` and recompress them using `twintig`. diff --git a/know-how/hacking/nintendo-wii/_posts/2009-01-18-mplayer-samba.md b/know-how/hacking/nintendo-wii/_posts/2009-01-18-mplayer-samba.md new file mode 100644 index 0000000..b888f9e --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2009-01-18-mplayer-samba.md @@ -0,0 +1,28 @@ +--- +title: MPlayer and Samba +language: en +layout: default +created: 2009-01-18 23:26:15 +0100 +updated: 2009-01-18 23:26:15 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +The [MPlayer Christmas Edition](http://www.elotrolado.net/hilo_mplayer-christmas-edition_1157252) for Wii supports SMB +browsing. You can configure the login data of the desired SMB share through the `smb.conf` on the SD card as follows: + +~~~ +ip=192.168.1.100 +share=Public +user=wii +pass=somethingelse +port=445 +~~~ + +For it to work, you **MUST** use a dedicated user in Samba. Guest shares won't work. Also make sure you have +**`security=user`** set in your Linux `smb.conf`. For more information see +[this thread](http://www.tehskeen.com/forums/showpost.php?p=48403&postcount=76) as tehskeen.com. diff --git a/know-how/hacking/nintendo-wii/_posts/2009-01-30-encryption-keys.md b/know-how/hacking/nintendo-wii/_posts/2009-01-30-encryption-keys.md new file mode 100644 index 0000000..6113d51 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2009-01-30-encryption-keys.md @@ -0,0 +1,40 @@ +--- +title: Nintendo Wii Encryption Keys +language: en +layout: default +created: 2009-01-30 12:56:51 +0100 +updated: 2009-01-30 13:00:54 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +To use these keys with e.g. [Segher's Wii.git](http://wiibrew.org/wiki/Segher's_Wii.git), you have to put them in binary +files, i.e. use a Hex-Editor and paste these keys so that you get a 16 Byte long file for each key. Segher's tools +expect them to be located in `~/.wii/`, e.g. `~/.wii/common-key`. + +common-key +========== + + ebe42a225e8593e448d9c5457381aaf7 + + +sd-key +====== + + ab01b9d8e1622b08afbad84dbfc2a55d + + +sd-iv +===== + + 216712e6aa1f689f95c5a22324dc6a98 + + +md5-blanker +=========== + + 0e65378199be4517ab06ec22451a5793 diff --git a/know-how/hacking/nintendo-wii/_posts/2009-03-23-favourite-games.md b/know-how/hacking/nintendo-wii/_posts/2009-03-23-favourite-games.md new file mode 100644 index 0000000..e95c7c9 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2009-03-23-favourite-games.md @@ -0,0 +1,24 @@ +--- +title: Favourite Wii Games +language: en +layout: default +created: 2009-03-23 00:38:45 +0100 +updated: 2009-03-23 00:38:45 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +Here's a list of my favorite Wii games: + +| Game | Genre | Comment | +|:-----------------------|:---------:|:-----------| +| Red Steel | FPS | great soundtrack, nice story; hate the swordfights though | +| Metroid Prime 3 | FPS | nice graphics | +| Onslaught (WiiWare) | FPS | lots of fun playing this plain and straight forward shooter | +| World of Goo (WiiWare) | Puzzle | very addictive | +| Okami | Adventure | really great graphics, nice gameplay | +| NfS: Undercover | Racing | made a lot of fun playing it with the GC controller | diff --git a/know-how/hacking/nintendo-wii/_posts/2009-05-22-mii-to-ds.md b/know-how/hacking/nintendo-wii/_posts/2009-05-22-mii-to-ds.md new file mode 100644 index 0000000..b1a6d37 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2009-05-22-mii-to-ds.md @@ -0,0 +1,23 @@ +--- +title: Mii to NDS Transfer +language: en +layout: default +created: 2009-03-10 01:08:20 +0100 +updated: 2009-05-22 00:16:54 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +The *Mii Channel* has a hidden **Transfer to DS** option. According to [cubed3.com](http://www.cubed3.com/news/11049) +the only NDS game using this for now is the Japanese title *Aruite Wakaru Seikatsu Rhythm DS*. To enable the feature, +do this: + +1. go to the *Mii Channel* +1. push A once +1. push B once +1. push 1 once +1. hold 2 diff --git a/know-how/hacking/nintendo-wii/_posts/2009-10-07-wii-homebrew-channel.md b/know-how/hacking/nintendo-wii/_posts/2009-10-07-wii-homebrew-channel.md new file mode 100644 index 0000000..01c4fb4 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2009-10-07-wii-homebrew-channel.md @@ -0,0 +1,27 @@ +--- +title: Wii Homebrew Channel +language: en +layout: default +created: 2009-10-07 22:46:34 +0200 +updated: 2009-10-07 22:48:41 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +Install on 4.2e +=============== + +* Download the [bannerbomb v2](http://bannerbomb.qoid.us/index.new.php) and unzip the file to your SD-Card (make sure + to remove ANY OTHER Wii data from the `private` directory otherwise it will NOT work!) +* Download the [HackMii Installer](http://bootmii.org/download/) and put the `boot.dol` in the root of the SD-Card +* Start the Wii, remove any disc +* select the SD-Channel (bottom left) +* insert the prepared SD-Card and wait for the *Start boot.dol?*-prompt (if it freezes, hold Power-button to reboot the + Wii then try again) +* select *Yes* +* follow the instructions (you most probably want to install all 3 options - try to install BootMii as boot2, if it + doesn't work, install as IOS) diff --git a/know-how/hacking/nintendo-wii/_posts/2010-05-08-usbloader-gx.md b/know-how/hacking/nintendo-wii/_posts/2010-05-08-usbloader-gx.md new file mode 100644 index 0000000..61a28b5 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2010-05-08-usbloader-gx.md @@ -0,0 +1,27 @@ +--- +title: USBLoader GX +language: en +layout: default +created: 2010-05-08 12:47:47 +0200 +updated: 2010-05-08 12:47:47 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +* **Homepage:** + + +Foreign games settings +====================== + +(for PAL TVs) + +* If the game appears all in red, activate the *VidMode: AutoPatch* setting. +* If `Error #02` appears, activate the *Error 02 Fix* +* If you only see a black screen after launching the game, make sure, the Game is not Japanese- or English-only. If so, + change the *Game language* setting to match that of the game. (Some games don't have a fall-back setting for their + language, so they will crash if the Wii is set to another language than supported.) diff --git a/know-how/hacking/nintendo-wii/_posts/2010-11-14-backup-games-to-usb-hdd.md b/know-how/hacking/nintendo-wii/_posts/2010-11-14-backup-games-to-usb-hdd.md new file mode 100644 index 0000000..270c098 --- /dev/null +++ b/know-how/hacking/nintendo-wii/_posts/2010-11-14-backup-games-to-usb-hdd.md @@ -0,0 +1,110 @@ +--- +title: Backup games to USB HDD +language: en +layout: default +created: 2009-05-24 19:35:29 +0200 +updated: 2010-11-14 16:05:02 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - nintendo + - wii +--- +* [mikeandheth.com](http://www.mikeandheth.com/games/97-connect-wii-usb-hard-drive.html) +* [gbatemp.net](http://wiki.gbatemp.net/wiki/index.php?title=USB_Loader_Releases) --- List of USB Loader programs for the Wii +* [gbatemp.net](http://wiki.gbatemp.net/wiki/index.php?title=WBFS_Managers) --- List of WBFS Managers (programs to copy game ISO files to USB via your PC) +* [usbloadergx.koureio.net](http://usbloadergx.koureio.net/) --- USBLoader GX homepage +* [gbatemp.net](http://gbatemp.net/index.php?showtopic=144844) --- Linux WBFS Manager ([updated version](http://gbatemp.net/index.php?showtopic=145747&hl=cojiro)) +* [Wiithon](https://launchpad.net/wiithon) --- Python WBFS Manager (best for Linux!) +* [code.google.com](http://code.google.com/p/linux-wbfs-manager/) --- another Linux WBFS Manager +* [gbatemp.net](http://gbatemp.net/index.php?showtopic=146731&hl=linux) --- FUSE module for WBFS (unstable) + + +System Menu 4.2 +=============== + +

+Only backup games you really own. **DO NOT BACKUP BORROWED GAMES OR DOWNLOAD THEM FROM THE INTERNET!** If nobody +actually buys Wii games then the creators won't make any more games. (Also you wouldn't want to end up like [this](http://youtube.com/watch?v=ALZZx1xmAzg), +would you?) However backing up games not only prevents your discs from damage but also makes the games load faster. +

+ +

+Keep in mind that you could brick your Wii. Only do these steps if you want to take this risk. These steps worked for +me but **I can not be held responsible if they don't work for you or even damage your Wii**. +

+ +To patch *System Menu 4.2* to allow backup (and playing of these backups) of games, follow the instructions at [wiihacks.com](http://www.wiihacks.com/recommended-faqs-guides-tutorials-only/24630-full-hacking-guide-4-2-system-menus-79.html). + +1. Install the [HomeBrew Channel, DVDX and BootMii]({% post_url 2009-10-07-wii-homebrew-channel %}) + * make a backup of your NAND flash using BootMii + 1. after switching on your Wii, you'll be in the BootMii menu (4 icons) + 1. use Power to select the gears on the right + 1. use Reset to choose the gears + 1. the first icon (green arrow pointing from IC to SD-Card) should be highlighted + 1. use Reset to choose this one + 1. follow the instructions to backup the NAND (don't wonder about the bad blocks. Some Wii have up to 80!) +1. Use one of the packages from *Part B* of the wiihacks-guide to uninstall ios249 + 1. prepare and insert SD card + 1. boot your Wii, the *WAD Manager* should run (alternatively: Go to HBC and launch BootMii from there) + 1. in the IOS-selection, select **ios36** (others like 249, 250 might also work, but froze my Wii) + 1. select SD-card as source, press A + 1. select `IOS249.WAD`, press A + 1. change action to **Uninstall WAD**, press A + * if it gives errors at this point, try one of the other packages +1. Use one of the packages from *Part C* of the wiihacks-guide to install cios38rev14 + 1. prepare and insert SD card + 1. boot your Wii, the *cios38-Installer* should run (alternatively: Go to HBC and launch BootMii from there) + 1. in the IOS-selection, keep pressing Left until **Do not reload IOS** is shown, press A (might try other IOSes, but it worked fine this way) + 1. if you have a working Internet connection, select **Network install**, otherwise use **WAD install** and press A + * if you chose **WAD install**, select the `IOS38-64-v3610.wad` on your SD card + 1. Proceed with the installation and you are done + +After this procedure you will be able to use a USB Launcher to make and play backups or a DVD Launcher to play backup DVDs. + +

+For [some games](http://wiki.gbatemp.net/wiki/index.php?title=USB_Loader_v1.x_Game_Compatibility) it might be needed to +install *Hermes' cIOS* as well. See [wii-homebrew.com](http://www.wii-homebrew.com/download/nintendo-wii-downloads/firmware-und-hacks/originale/hermes-cios) +for instructions. (In German, sorry!) +

+ + +Shop Channel Update +=================== + +On October, 21st 2009, Nintendo released a Shop Channel Update. [This post](http://forum.wiibrew.org/read.php?21,38699) +implies that it may be safe to do this update if you are already on 4.2. After I made this update, the *USBLoader GX* +rev. 799 crashed after showing the startup logo. So be sure to make a backup using *BootMii*. + +**UPDATE:** The official update seems to reset the IOS249 (and maybe other IOSes). So you either have to repatch your +Wii after the update or use *[WiiSCU](http://wiibrew.org/wiki/WiiSCU)* to update the *Shop Channel* and *IOS61* +(**Note:** Use `-trucha` setting) only. + + +Burn backups to DVD +=================== + +You can use any WBFS Manager tool to transfer the backups to your PC (as a ISO file) and burn them onto a DVD. You can +then play the games from DVD using a DVD Launcher such as [NeoGamma](http://www.gbatemp.net/index.php?showtopic=158884). + +Make sure, your burning program keeps the book type of **DVD-ROM**. In *Nero* you have to go to the *Choose Recorder* +dialog, *Advanced options* to set the book-type from **Auto** to **DVD-ROM**. Also burn with the slowest speed possible. + + +Media +----- + +| Type | Works | +|:--------------------------|:-----:| +| Intenso DVD+R LightScribe | - | +| SONY DVD+R Ver. 1.3 | X | +| PHILIPS DVD+R LightScribe | X | + + +Play Call of Duty: Black Ops +============================ + +To play CoD:BO (and not get stuck in the *"Loading…"*-screen), you'll need the cIOS rev20b found [here](http://filetrip.net/f12411-cIOS-Installer-Xr20b.html). +Install using IOS249 from base 57 into slot 249. After that, the game should work. diff --git a/know-how/hacking/sony-playstation-2/_posts/2008-12-05-dms4pro.md b/know-how/hacking/sony-playstation-2/_posts/2008-12-05-dms4pro.md new file mode 100644 index 0000000..f39a1d9 --- /dev/null +++ b/know-how/hacking/sony-playstation-2/_posts/2008-12-05-dms4pro.md @@ -0,0 +1,17 @@ +--- +title: DMS4Pro +language: en +layout: default +created: 2008-12-05 00:31:21 +0100 +updated: 2008-12-05 00:31:21 +0100 +toc: false +tags: + - know-how + - hacking + - hardware + - sony + - playstation + - pstwo + - dms4pro +--- +**Firmware:** [sksapps.com](http://www.sksapps.com/index.php?page=dms4.html) (Latest is 0.41) diff --git a/know-how/hacking/windows-mobile/_posts/2008-09-12-oggsync.md b/know-how/hacking/windows-mobile/_posts/2008-09-12-oggsync.md new file mode 100644 index 0000000..16c1cb1 --- /dev/null +++ b/know-how/hacking/windows-mobile/_posts/2008-09-12-oggsync.md @@ -0,0 +1,74 @@ +--- +title: OggSync for Windows Mobile +language: en +layout: default +created: 2008-09-12 22:19:31 +0200 +updated: 2008-09-12 22:19:31 +0200 +toc: false +tags: + - know-how + - hacking + - hardware + - microsoft + - windowsmobile +--- +**Tested Version:** 4.19 + +OggSync connects to `https://oggsync.com/r/r` or `https://oggsync.com/r/e` and sends the entered info (PayPal eMail or +Registration Code) along with some other info. You can find these URLs in cleartext Unicode inside the `ogsync.exe`. +The relevant fields of a `$_SERVER` dump are those: + +**PayPal:** (I entered `anon@anon.com` as eMail address.) + +~~~ + [CONTENT_TYPE] => application/x-www-form-urlencoded + [HTTP_A] => 2008-09-10 3:58 PM + [HTTP_B] => 419 + [HTTP_C] => 9465c02d-d768-4892-bc4d-45ea13c042dc + [HTTP_D] => your-gmail@gmail.com + [HTTP_E] => + [HTTP_F] => 9/12/2008 8:03 PM + [HTTP_G] => 49e744a1-ff3b-40f7-baf0-a96239fa0830 + [HTTP_H] => PayPal + [HTTP_I] => anon@anon.com + [HTTP_K] => W. Europe Daylight Time + [HTTP_L] => + [HTTP_M] => mobile + [CONTENT_LENGTH] => 22 + [HTTP_CONNECTION] => Close + [HTTP_EXPECT] => 100-continue +~~~ + +**Registration Code:** (The `12345` is the code I entered.) + +~~~ + [CONTENT_TYPE] => application/x-www-form-urlencoded + [HTTP_A] => 2008-09-10 3:58 PM + [HTTP_B] => 419 + [HTTP_C] => 9465c02d-d768-4892-bc4d-45ea13c042dc + [HTTP_D] => your-gmail@gmail.com + [HTTP_E] => + [HTTP_F] => 9/12/2008 8:01 PM + [HTTP_G] => c4781924-a538-41e8-8cb6-624e02b8d271 + [HTTP_H] => Registration + [HTTP_I] => 12345 + [HTTP_K] => W. Europe Daylight Time + [HTTP_L] => + [HTTP_M] => mobile + [CONTENT_LENGTH] => 22 + [HTTP_CONNECTION] => Close + [HTTP_EXPECT] => 100-continue +~~~ + +The first UUID in `HTTP_C` might be a unique code to identify your device. The second one changes with every try to +register. There was a post in the [PPCWarez-Forum](http://forum.ppcwarez.org/) that *OggSync* expects the server to +answer with "Pro" if the registration data is correct. Any other answer will be interpreted as failure. + +Knowing this, you might wonder what happens if you use your favourite hex-editor, change the URLs to point to a server +you own and put this totally complicated PHP script onto it: + +{% highlight php %} + +{% endhighlight %}