mbirth/wiki.mbirth.de
1
0
Fork 0
mirror of https://github.com/mbirth/wiki.git synced 2024-11-09 13:16:45 +00:00
Code Issues Releases Wiki Activity

Added Wii, NDS and some more posts.

Browse Source
This commit is contained in:
Markus Birth 2015-03-01 01:53:21 +01:00
parent c31d911dcf
commit 7110d8c477
40 changed files with 1447 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/battery_cutplace.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
assets/battery_normal.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
assets/battery_opened.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
assets/battery_pcbbend.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
assets/cyclodsevo.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
assets/ez3in1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
assets/nintendo_ds_lite.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
assets/s93c56scheme.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.1 KiB

BIN
assets/samsung_se-t084m.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

20
know-how/hacking/_posts/2008-12-05-sony-playstation-2.md Normal file
View File

@ -0,0 +1,20 @@
---
title: Sony PlayStation 2
language: en
layout: default
created: 2008-12-05 00:31:49 +0100
updated: 2008-12-05 00:31:49 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- sony
- playstation
- pstwo
---
<ul>
{% for page in site.categories.sony-playstation-2 %}
<li><a href="{{ page.url }}">{{ page.title }}</a></li>
{% endfor %}
</ul>

64
know-how/hacking/_posts/2009-02-02-samsung-sgh-z300.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Samsung SGH-Z300/ZM60
language: en
layout: default
created: 2009-02-02 18:44:27 +0100
updated: 2009-02-02 18:51:02 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- samsung
- phone
---
I got a Samsung ZM-60 from T-Mobile (incl. SIMlock). The first shock came after switching it on for the first time:
Everything was in the T-Mobile magenta color. After some research, I found out, that it's originally a `SGH-Z300`.
Firmware flashing
=================
Instructions on how to flash a new firmware are on [handy-faq.de](http://www.handy-faq.de/forum/showthread.php?t=13916).
There also was a nice collection of firmware images on [anvi.it](http://www.anvi.it/forum/index.php?showtopic=20637),
but seems to be down for now.
The best firmware seems to be the `Z300AIEK1`, since it is only slightly branded by *TIM* (an Italian provider?) and
contains everything the original Samsung-Firmwares do.
You can use the supplied cable to flash the phone.
1. run the *Downloader Z300-Z500*
1. find your desired firmware file
1. power off the phone, hold the <kbd>9</kbd> key and power it on so that the outer display shows "Download" on red
background
1. initiate the transfer
The flashing takes about 12 minutes and after that, you have the original Z300 Samsung theme.
SIMlock
=======
To remove the SIMlock, there's a manual at [gsmhosting.com](http://forum.gsmhosting.com/vbb/showthread.php?t=239111).
You need the *Qualcomm Unlocker* and a PC with a `COM1:` port where you need to short the Pins #2 and #3. Then it's a
thing of 20 seconds to get rid of the SIMlock.
Downloading jar files
=====================
The phone accepts `.jar` files from any server if it sends the content type `application/java-archive` instead of
`application/octet-stream`. This is easily accomplished by adding a `.htaccess` file with the line
AddType application/java-archive .jar
to the directory where the `.jar` files are on your server.
Phone identification
====================
The phone sends the following User-Agent to websites:
SGH-Z300 SHP/VPP/R5 SMB3.1 SMM-MMS/1.2.0 profile/MIDP-2.0

18
know-how/hacking/_posts/2009-02-02-siemens-a55.md Normal file
View File

@ -0,0 +1,18 @@
---
title: Siemens A55
language: en
layout: default
created: 2009-02-02 22:30:48 +0100
updated: 2009-02-02 22:30:48 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- siemens
- phone
---
A friend visited me bringing two A55 with SIMlock. Both were from the same provider and both didn't accept the
unlocking code from the provider for some reason. After trying the usual tools without luck, we used the [testpoint method](http://www.allsiemens.com/testpoints/siemens-A55.htm).
Using very sharp tweezers, we scratched away the protective from the desired trace and cut it. Now we were able to use
*Freia* without any problems. (set to "Bootcore Bug")

69
know-how/hacking/_posts/2009-02-02-siemens-gigaset.md Normal file
View File

@ -0,0 +1,69 @@
---
title: SIEMENS Gigaset
language: en
layout: default
created: 2009-02-02 02:15:29 +0100
updated: 2009-02-02 22:27:14 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- siemens
- phone
---
Service mode
============
Hold keys **1**, **4** and **7** while turning on the phone. You will see the display test.
Service menu
============
Power-on the phone into service mode and type `76200` (4000er series) or `46395`[^1] (2000er and 3000er series) to get
to the service menu.
There you can check some options and on the next regular power-on, you'll see the checked infos on the display. To get
everything back to normal, repeat the procedure to uncheck these options.
Factory reset
=============
Power the phone on into service mode and type `4685463` to reset the phone to factory settings - **completely**, i.e.
incl. all phonebook entries. (The normal factory reset keeps them!)
Phone code
==========
If you forgot the phone code, there seem to be 2 ways:
**1.** Get into the service menu and type: `4#`, push *OK*, `*R#R`, *OK*, `8#9*` and the red button.
**2.** Get into the service menu, move the selection to the menu separator (`---------`) and type: `89376200`.
EEPROM patcher
==============
:warning: Doesn't work for all phones!
Get into service mode and type `337766`. This is useful to prepare older *SL74* models for MMS sending:
1. get into the EEPROM patcher
1. Type part #1: `63508 65443 32604` and confirm with *OK*
1. Type part #2: `58644 58028 59475` and *OK*
1. power off the phone and power on again
Approval test
=============
Hold **1**, **3** and **0** while powering on the phone. (**1**, **5**, **9** and **0** should also work)
Seems to be a mode where the phone sends data all the time so that you can test radiation.
[^1]: Zip code of *Bocholt* where the Gigasets are/were built

54
know-how/hacking/_posts/2009-02-02-siemens-m65.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Siemens M65
language: en
layout: default
created: 2009-02-02 21:39:52 +0100
updated: 2009-02-02 22:26:57 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- siemens
- phone
---
A M65 of my in-laws seemed broken so I took it home to play around with my `DCA-510`-cable.
It showed firmware rev. 15 … the current one was rev. 58. I read somewhere that older firmware WILL produce problems so
I was glad that it might be a software problem instead of a hardware one.
Upgrading firmware
==================
So I got the latest firmware from [allsiemens.com](http://www.allsiemens.com/flash/M65.htm) and tried to flash the
phone. Damn! The M65 was from Vodafone and thus the ID was `M6V` instead of `M65`. Since I hate brandings, I needed a
way to change that value.
After some experiments I found instructions at [gsm-multifund.de](http://www.gsm-multifund.de/board/showthread.php?t=8864)
(which seems to be offline now).
I needed *[x65flasher](http://www.allsiemens.com/soft/flashers-1.htm)* and since I updated the phone to [M6V v50](http://www.allsiemens.com/flash/M6V.htm)
before, I needed the supplied Java-Midlet `px75v1` to calculate the Hash and ESN for my phone. This needed around 3-5
minutes. After that, I was able to download a backup of the phone's firmware and then chose *Advanced* → *Change phone
model* to change it to `M65`. After writing it back to the phone, I did a *FFSinit* (see allsiemens.com) and was
finally able to flash the rev. 58 using *WinSwup*.
Also a nice page with many tips and instructions: [gsm-free.com](http://www.gsm-free.com/index.htm).
Patching the firmware
=====================
You can use [Smelter](http://www.allsiemens.com/soft/flashers-1.htm) to generate a list with possible patches for the
supplied firmware file which you can then apply using [V_KLay](http://www.allsiemens.com/soft/flashers-2.htm). There
are patches to e.g. disable some debugging (which makes the phone a bit faster) or enable the network monitor
(aka. *Develop. setup*) in the "My Menu".
Internal Filesystem
===================
If you want to get rid of the "Load games", "Load Ringtones", etc. menus, just use the [VSOFS-Plugin](http://www.totalcmd.net/plugring/vsofs.html)
for [Total Commander](http://www.ghisler.com/) to delete the file `\\M65\Config\Default\MagicLinks\MagicLinks.xml` and
the directory on the phone.

47
know-how/hacking/_posts/2009-02-02-teac-mp380.md Normal file
View File

@ -0,0 +1,47 @@
---
title: TEAC MP-380 / entryx EM850
language: en
layout: default
created: 2009-02-02 22:49:04 +0100
updated: 2009-02-02 22:49:04 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- teac
- entryx
- mp3player
---
A local discounter offered a MP4-player *[entryx EM850](http://www.entryx.de/deutsch/produkte/mp3player/2gb_mediaplayer_mp3.html)*
some time ago. The supplied firmware has some severe problems, e.g. the devices powers off while playing without touching it.
After some research, I found some thread at [discountfan.de](http://www.discountfan.de/forumneu/read.php?8,161599,162423)
which mentions that the device is originally built by [YIFANG](http://www.yifangdigital.com/Product/EM850.htm) and is
OEM'ed as [Meizu M6](http://en.wikipedia.org/wiki/M6_Mini_Player) or [TEAC MP-380](http://www.teac-shop.de/product_info.php/info/p151_MP-380-2GB-Flash-MP3-Player.html).
The TEAC firmware is brand new and thus fixes the problems of the entryx version. Since you can't download the firmware
from the TEAC homepage, you have to get it from [rapidshare.com](http://rapidshare.com/files/49786276/TEM850RB_PCB1.4_002_1.7.17_new.rar.html).
All other files you can get directly from YIFANG: On the [download page](http://rapidshare.com/files/49786276/TEM850RB_PCB1.4_002_1.7.17_new.rar.html)
further down you'll find a [EM850RB driver package](http://www.yifangdigital.com/download/driver/audio/em850rb.rar)
which also contains the firmware-updater and drivers for the Rock-chip (both contained in the *ConsumerUpdate* inside
the RAR archive). You have to unpack the ConsumerUpdate and install it.
Now do the following:
1. unplug the MP4-player from your PC
1. hold the <kbd>M</kbd> key while plugging it in and hold the <kbd>M</kbd> key for some more seconds
* the PC should show a new device and ask for drivers
1. choose manually selection of drivers and point it to the directory where you installed the ConsumerUpdate to
1. when the drivers are installed, run the `Consumer.exe` (for English language, change the `Consumer.ini` and set
`UILanguage` to `ENG` instead of `CH_S`)
1. choose the firmware file (`.rfw`) and click on *Update*
1. 3 minutes later, everything should be done, exit the Updater
1. unplug the device and power it on
* the upgrade should be launched
After the upgrade completed, you might have to format the internal storage for the player to recognize it.
Some little bonus: After the upgrade, you'll find a Tetris game as well as a FM-Tuner. But the latter one doesn't have
any reception - maybe they didn't add an antenna, although the IC would support it.

39
know-how/hacking/_posts/2009-02-02-zyxel-660hw67.md Normal file
View File

@ -0,0 +1,39 @@
---
title: ZyXEL Prestige 660HW-67
language: en
layout: default
created: 2009-02-02 20:55:24 +0100
updated: 2009-02-02 20:55:24 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- zyxel
- prestige
- router
---
The 660HW-67 was distributed in Germany as the "WLAN Modem 100" through the Arcor ISP. It came with the firmware `QD.7`
which seems to be originally made for AOL.
To get the router ready for ADSL2+, I needed the `QQ.7` firmware which is the original one.
Firmware crossgrade
===================
**Manual:** [dslrouter-hilfe.de](http://www.dslrouter-hilfe.de/forum/showthread.php?t=16411)
The big problem is that the `rom-0` of the original firmware is 48 KiB whereas that of the AOL firmware is only
*16 KiB*. Usually, you make an upgrade by updating the `rom-0` file (which contains default settings) and then update
the firmware itself which then reads the new default settings upon the next boot. Since the router didn't accept the
new settings, it stuck after the reboot.
This is how it works (using the serial connector on the PCB and a terminal program):
1. upload the new firmware file completely
* the router will complain that the `rom-0` doesn't match and ask you to upload a new firmware
1. upload the new firmware again but cancel the upload after about 600 KiB (~12 min at 9600 baud)
* the router will boot into a debug mode
1. upload the new `rom-0` file
1. upload the new firmware file

32
know-how/hacking/_posts/2009-03-10-nintendo-ds.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Nintendo DS
language: en
layout: default
created: 2009-03-10 00:43:19 +0100
updated: 2009-03-10 01:13:42 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
(DS = Dual Screen)
![]({{ site.url }}/assets/nintendo_ds_lite.jpg)
<ul>
{% for page in site.categories.nintendo-ds %}
<li><a href="{{ page.url }}">{{ page.title }}</a></li>
{% endfor %}
</ul>
* also see: [Nintendo Wii]({% post_url 2009-03-10-nintendo-wii %})
Links
=====
* [Nintendo DS homebrew](http://en.wikipedia.org/wiki/Nintendo_DS_homebrew)
* [Hacking Nintendo DS](http://doc.kodewerx.org/hacking_nds.html) --- list of ActionReplay code structure and some generic assembler codes

28
know-how/hacking/_posts/2009-03-10-nintendo-wii.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Nintendo DS
language: en
layout: default
created: 2009-03-10 00:43:19 +0100
updated: 2009-03-10 01:13:42 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
<ul>
{% for page in site.categories.nintendo-wii %}
<li><a href="{{ page.url }}">{{ page.title }}</a></li>
{% endfor %}
</ul>
* also see: [Nintendo DS]({% post_url 2009-03-10-nintendo-ds %})
Links
=====
* [The Homebrew Channel](http://hbc.hackmii.com/)
* [WiiBrew Wiki](http://wiibrew.org/wiki/Main_Page)

23
know-how/hacking/_posts/2009-05-16-msi-rg54se.md Normal file
View File

@ -0,0 +1,23 @@
---
title: MSI RG54SE
language: en
layout: default
created: 2009-05-16 22:20:01 +0200
updated: 2009-05-16 22:20:01 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- msi
- router
---
Sold under following names:
* CC&C WA-2204A
* Blanc BW54R11
* Bluecomm WA-2204A
* Canyon WF514v2
* GigaFast WF719-CAPR
* ZCOMAX WA-2204A
* Zonet ZSR1114WE

46
know-how/hacking/_posts/2009-10-26-samsung-se-t084m.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Samsung SE-T084M
language: en
layout: default
created: 2009-05-15 15:59:19 +0200
updated: 2009-10-26 21:41:59 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- samsung
- drive
---
The SE-T084M is an external USB burner with everything but BluRay burning.
![]({{ site.url }}/assets/samsung_se-t084m.jpg)
Firmware
========
* there are different models - some with *TruDirect*, some without
* the *TruDirect* models have firmwares `TD00`..`TD02`
* the non-TruDirect models have firmwares `TS00`..`TS02`
* [US firmware downloads](http://www.samsung.com/us/support/download/supportDown.do?group=&type=opticaldiscdrives&subtype=dvdwriter&model_nm=SE-T084M&language=&cate_type=all&dType=D&mType=FM&vType=&prd_ia_cd=05050500&disp_nm=SE-T084M&model_cd=&menu=download) *old Tx00 version*
* [Samsung Optical Disc Drive Division](http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=614&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=) *latest TD02 veresion*
RPC1
====
*RPC1* means removing the region code or region-switching lock from the drive. Normally the DVD drive is set to your
region (1..5) so that you can only play DVDs from your region. You can change this region 5 times with the last change
being permanently.
RPC1 means removing this limit. Also you can sometimes set your drive to region code **0** which will allow you to play
DVDs of any region.
You can enable *RPC1* by using [MCSE](http://forum.rpc1.org/viewtopic.php?f=2&t=41228&st=0&sk=t&sd=a&start=125).
<p><div class="noteclassic" markdown="1">
Windows XP will continue to show a *X changes left* in the region settings. But this is a software lock. Open *RegEdit*
and go to `HKEY_LOCAL_MACHINE\Software\Microsoft`. There you'll find a key with strange characters (something like `';t-z%`)
which contains a single REG_QWORD value. Delete the whole key and you'll be back at *5 changes left*.
</div></p>

188
know-how/hacking/_posts/2010-01-11-sony-psp.md Normal file
View File

@ -0,0 +1,188 @@
---
title: SONY PlayStation Portable
language: en
layout: default
created: 2010-01-08 08:47:41 +0100
updated: 2010-01-11 21:39:20 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- sony
- playstation
- psp
---
* **Model:** PSP Slim (PSP-2004)
* **Battery:** PSP-S110
<p><div class="noteclassic" markdown="1">
Please note that these things only work for PSP-1xxx and PSP-2xxx with a date code (found behind battery!) of `8B` or
less. If you have a newer PSP or a PSP-3xxx, you will most likely have a **TA-88v3** mainboard and destroy it by trying
the things described here.
</div></p>
PSP-S110 Pandora Battery
========================
* <http://board.gulli.com/thread/865045-pandora-pandora-batterie-ohne-hombrew-psp-erstellen/12/>
The original shipped battery of type `PSP-S110` can be made a Pandora-battery which enables developer features on the PSP.
Opening the battery
-------------------
![]({{ site.url }}/assets/battery_normal.jpg)
The housing of the battery is glued together around the side. **DO NOT TRY TO OPEN IT WITH A SCREWDRIVER** as you can
easily produce shorts which may even make the battery explode or destroy it forever.
The best way is to use your fingernails and a stronger guitar pick (or something else non-conducting material).
After opening, it will look like this:
![]({{ site.url }}/assets/battery_opened.jpg)
Now carefully bend over the PCB.
![]({{ site.url }}/assets/battery_pcbbend.jpg)
Identify target
---------------
Identify the small 8-pin IC with the label `S93C56` near the **`IC04`** printed on the PCB - this is an EEPROM which
holds information about the battery. We want to stop it sending that information to the PSP.
Looking at a [data sheet](http://www.alldatasheet.com/view.jsp?sSearchword=S93C56), we will find this picture:
![]({{ site.url }}/assets/s93c56scheme.png)
Now there are 2 ways to interfere: We can disconnect the `CS` pin which indicates when a new command is about to be
sent to the IC or we can short the `DO` (data output) pin to `Vcc` so that there will be no readable output from the IC.
If you regularly need a Pandora battery, you can even solder a switch instead of cutting/shorting the points.
### Disconnect CS
* <http://www.psp-forum.com/tutorials-guides/10453-tutorial-make-pandora-battery-stick-no-cfw-psp.html>
The CS line is used to tell the EEPROM when it has to listen for commands. By cutting this line, the EEPROM won't be
able to work anymore and thus you will have a Pandora battery. If you do it right, then you can undo the cut with a
normal pencil (the lead in the pencil is conductive).
Find the line with the **`19`** printed nearby. It is the one going from the top right pin of the IC. Use a razor knife
to cut it at this point (marked red):
![]({{ site.url }}/assets/battery_cutplace.jpg)
That was it! Just assemble everything back and use some adhesive tape to hold the battery together. If you put it into
your PSP (with AC adaptor unplugged), the green *Power*-LED should automatically turn on without doing anything else.
Congratulations. You now have a Pandora battery.
<p><div class="notetip">
If you want to make it a normal battery later, use a lead pencil and draw along the cut a few times. Check that the PSP
doesn't turn on when inserting the battery. If everything works as you want, you can also glue the battery together again.
</div></p>
### Short DO and VCC
* <http://www.psp-hacks.com/2007/10/22/one-wire-pandora-battery-no-software-required/>
Magic MemoryStick
=================
A *Magic MemoryStick* contains a special boot-code which provides means to update the firmware of the PSP. There are
different tools to create one:
* [Ultimate Pandora Magic Stick](http://www.psp-hacks.com/file/1326)
* [TotalNewbi Installer](http://www.megaupload.com/?d=gvzi5ne4)
* [PSPGrader v008](http://pspslimhacks.com/psp-grader-v008/)
* [Rain's UltraLite MMS Maker](http://pspslimhacks.com/rains-ultralite-mms-maker-for-500-m33-4/)
These are all mostly self-explanatory.
After some playing around with my 120MB *MemoryStick Duo* without luck, I came to the conclusion, that you **really need
a *Pro Duo*** for this thing to work. The limit for sticks up to 2GB is gone. You can use any stick - mine was a *8GB
MemoryStick Pro Duo Mark 2*. Be sure to backup all files first.
Using *PSPGrader* and *Rain's UltraLite MMS Maker* didn't work in the first place (tried both with the *Format
MemoryStick* option). The latter one gave the *["IPL failed to inject"](http://www.psp-hacks.com/forums/archive/index.php/t-232186.html)*
error. I then used the `mspformat.exe` from the *TotalNewbi Installer* to format the USB stick. After that, using
*Rain's* (without the *Format* option checked) finally worked and I had a *Magic MemoryStick*.
Using the Magic MemoryStick
---------------------------
To make the PSP load the custom file from the MemoryStick, you have two options:
1. without the MemoryStick in the slot and without AC adapter plugged, put the Pandora battery into
1. the green *Power*-LED should turn on, anything other stays off
1. hold the <kbd>L</kbd> shoulder button while inserting the MMS
1. now the *WIFI*- and *M*-LEDs should flicker and boot the file
you can also do it the other way around:
1. without AC adapter plugged and without battery inserted, put the MMS into the slot
1. hold the <kbd>L</kbd> shoulder button while inserting the Pandora battery
1. the green *Power*-LED should turn on and the *WLAN*- and *M*-LEDs should start to flicker
If only the green *Power*-LED comes on with none of the other LEDs flickering, your Magic MemoryStick mostly doesn't
work. In some rare cases you might have a PSP with the newer mainboard (TA-88v3). Find out [here](http://www.dcemu.co.uk/vbulletin/showthread.php?t=183671).
You might also try [this](http://www.qj.net/psp/homebrew-applications/dark-alex-releases-ta-088v3-identifier-find-out-if-your-psp-is-unhackable.html).
Flashing custom firmware
========================
* <http://forums.gametrailers.com/thread/the-official-psp-custom-firmwa/785993?page=31>
* <http://www.pspmod.com/forums/psp-software-guides/45253-how-install-psp-custom-firmware.html>
* [Team GEN Forums](http://www.pspgen.com/forums/) (mostly French, but one is English)
* [List of all CFWs incl. some background info](http://alek.dark-alex.org/pspwiki/index.php/Custom_Firmwares)
After using the MMS and selecting the first option *Flash install 5.00M33-4*, you will have *Dark Alex*'s firmware on
your PSP. Upgrade it to the latest version by following the steps [here](http://www.atmaxplorer.com/2008/10/psp-custom-firmware-500-m33-is-released/2/).
Just download the *5.00 M33-5*, install it as described there then do the same with the *5.00 M33-6*.
Now you have the choice of switching over to *Team GEN*'s firmware which should support all the latest games. To do
this, use the *XGen Updater* as described [here](http://www.atmaxplorer.com/2009/12/install-psp-custom-firmware-5-50-gen-d3/).
The firmware file is also available [here](http://www.psp-hacks.com/file/1873). Newer versions can then be found in the
Downloads section of [psp-hacks.com](http://www.psp-hacks.com/category/39).
<p><div class="noteimportant" markdown="1">
**ATTENTION!** If you have problems with corrupted savegames or UMD titles not starting, please use the [5.50GEN-D2 Quick Updater](http://dl.qj.net/psp/homebrew-applications/cfw-550gen-d2-quick-updater.html)
to downgrade to that version until 5.50GEN-D4 is out. You might also try [these steps](http://www.pspgen.com/forums/interesting-tidbit-for-those-haveing-trouble-t192838.html)
before doing the downgrade.
If you don't have a backup of your saves, try [this](http://www.maxconsole.net/forums/showpost.php?s=a3670fea1205db04755ba1c6f42f65aa&p=1122026&postcount=3)
to possibly recover them.
</div></p>
Backup your games
=================
* <http://forums.exophase.com/showthread.php?t=4440>
* <http://www.stylemo.com/2007/11/06/how-to-create-iso-backups-of-your-psp-games/>
After you made a backup, copy the resulting `ISO` file into a folder `ISO` on your PSP's MemoryStick. It will then
appear in the game menu under *MemoryStick*.
Homebrew Apps
=============
* [CWCheat System](http://cwcheat.consoleworld.org/index.php)
Links
=====
* <http://forums.afterdawn.com/thread_view.cfm/591203>
* <http://www.pspmod.com/forums/psp-hardware-guides/28603-guide-using-pandoras-battery-easy-way-but-you-must-have-cfw.html>

48
know-how/hacking/nintendo-ds/_posts/2009-03-15-backup-savegames.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Backup Savegames on Nintendo DS
language: en
layout: default
created: 2009-03-15 14:34:37 +0100
updated: 2009-03-15 22:16:40 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
To backup savegames from your cartridges (e.g. for use with a ROM dump on a card like the
[CycloDS Evolution]({% post_url 2009-03-22-cyclods-evolution %})) there are two ways.
EZFlash 3in1 method
===================
You'll need a Slot1-homebrew launcher (like the [CycloDS]({% post_url 2009-03-22-cyclods-evolution %})) and the [EZFlash 3in1]({% post_url 2009-03-15-ezflash-3in1 %})
Slot2-Flash-Expansion (*EZFlash Plus* might not work!).
1. Download and install (on your microSD) the *NDS Backup Tool 3in1* from [Rudolph](http://www009.upp.so-net.ne.jp/rudolph/nds/Backup/)
1. Make sure the EZFlash 3in1 is in your Slot2 and the CycloDS containing the card with the *NDS Backup Tool* is in Slot1
1. Launch CycloDS and use it to run the backup tool
1. Make sure you are in the **Save Backup** mode (if not, press <kbd>L</kbd> until you are)
1. Press <kbd>B</kdb> to create a new savegame dump
1. You are prompted to remove the current Slot1 card (CycloDS) and put in the card of the game … do so!
1. Press <kbd>A</kbd> when ready
1. Now the savegame data will be copied to the Flash of the EZFlash 3in1 card
1. You are prompted to turn off the DS and re-run the *NDS Backup Tool*
1. Turn off the NDS (or press <kbd>A</kbd>), remove the game cartridge and insert the CycloDS cartridge again
1. When loading CycloDS, hold <kbd>L-R</kbd> to automagically re-run the backup tool
1. Confirm the copy process by pressing <kbd>A</kbd>
1. Now the savegame data will be copied from the EZFlash to your microSDHC card
1. You're done. The savegame will be in a folder `/NDS_Backup/` on your microSDHC card.
1. (You might have to rename the savegame file to the same name as the backup ROM of the game.)
Wi-Fi method
============
I did not test this method, but it needs a working Wi-Fi-connection from your NDS to your Access Point and some PC in
your network. You'll have to setup a FTP server. Download the *NDS Backup Tool WiFi* from [Rudolph](http://www009.upp.so-net.ne.jp/rudolph/nds/Backup/),
unpack to your microSD and modify the file `NDS_Backup_Tool_Wifi.ini` and enter the IP, Port, Username and Password of
your FTP server. The rest of the process should be similar to the above (despite of the switching cartridges).

35
know-how/hacking/nintendo-ds/_posts/2009-03-15-ezflash-3in1.md Normal file
View File

@ -0,0 +1,35 @@
---
title: EZFlash 3in1
language: en
layout: default
created: 2009-03-15 15:49:39 +0100
updated: 2009-03-15 22:17:41 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
<img src="{{ site.url }}/assets/ez3in1.jpg" alt="" width="200" />
* **Homepage:** [ezflash.cn](http://www.ezflash.cn/home.htm)
* **Detailed specs:** [gbatemp.net](http://wiki.gbatemp.net/wiki/index.php/3_in_1_Expansion_Pack_for_EZ-Flash_V)
* **Specs and some tutorials:** [cyclods.theta.in](http://cyclods.theta.in/wiki/EZFlash_V_3-in-1)
The EZFlash 3in1 is a GBA-cartridge for the Slot2 of the NDS which provides the following features:
* RAM expansion (e.g. for *DS Opera Browser*)
* Rumble pack
* 32 MiB Flash memory
* 16 MiB SRAM
* 512 KiB battery powered SRAM for savegame data
*[DS]: Dual Screen
*[RAM]: Random Access Memory
*[NDS]: Nintendo Dual Screen
*[GBA]: Nintendo GameBoy Advance
*[SRAM]: Static Random Access Memory

23
know-how/hacking/nintendo-ds/_posts/2009-03-15-wii-downloads.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Wii Downloads
language: en
layout: default
created: 2009-03-10 00:51:47 +0100
updated: 2009-03-15 22:18:54 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
The *Nintendo Channel* on the [Nintendo Wii]({% post_url 2009-03-10-nintendo-wii %}) allows you to download Demo
versions of NDS games right to your NDS to play. Just do the following:
1. go to the *Nintendo Channel*
1. go to the video overview
1. click "Categories" on top
1. select **DS Download Service**
1. just select a game, wait for it to download
1. follow the on-screen instructions

137
know-how/hacking/nintendo-ds/_posts/2009-03-16-ndstool.md Normal file
View File

@ -0,0 +1,137 @@
---
title: ndstool
language: en
layout: default
created: 2009-03-16 00:48:30 +0100
updated: 2009-03-16 00:48:30 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
The `ndstool` can show header information of ROM files as well as extract the game logo or even the whole ROM contents.
It also can recombine the extracted ROM contents to a working ROM again.
* **Homepage:** [darkfader.net](http://darkfader.net/ds/) (scroll down to *DS development tools*)
* **Blog:** [ndsdev.blogspot.com](http://ndsdev.blogspot.com/)
* **SVN:** [devkitpro.svn.sourceforge.net](http://devkitpro.svn.sourceforge.net/viewvc/devkitpro/trunk/tools/nds/ndstool/)
* **Linux binary:** [codinglab.blogspot.com](http://codinglab.blogspot.com/2007/07/nintendo-ds-homebrew-under-linux-ubuntu.html)
* **Python clone:** [jmoiron.net](http://dev.jmoiron.net/rom-seimei/) (limited functionality, but does UTF8)
Example output
==============
This is from the Linux binary (see above):
~~~
Nintendo DS rom tool 1.36 - Jul 31 2007 23:26:46
by Rafael Vuijk, Dave Murphy, Alexei Karpenko
Header information:
0x00 Game title BANDBROS DX
0x0C Game code AXBJ (NTR-AXBJ-JPN)
0x10 Maker code 01 (Nintendo)
0x12 Unit code 0x00
0x13 Device type 0x00
0x14 Device capacity 0x09 (512 Mbit)
0x15 reserved 1 000000000000000000
0x1E ROM version 0x00
0x1F reserved 2 0x00
0x20 ARM9 ROM offset 0x4000
0x24 ARM9 entry address 0x2000800
0x28 ARM9 RAM address 0x2000000
0x2C ARM9 code size 0xADBB4
0x30 ARM7 ROM offset 0x172000
0x34 ARM7 entry address 0x2380000
0x38 ARM7 RAM address 0x2380000
0x3C ARM7 code size 0x26F28
0x40 File name table offset 0x198F28
0x44 File name table size 0xBFF1
0x48 FAT offset 0x1A4F1C
0x4C FAT size 0x4BA8
0x50 ARM9 overlay offset 0xB1BC0
0x54 ARM9 overlay size 0x2E0
0x58 ARM7 overlay offset 0x0
0x5C ARM7 overlay size 0x0
0x60 ROM control info 1 0x00416657
0x64 ROM control info 2 0x081808F8
0x68 Icon/title offset 0x1A9C00
0x6C Secure area CRC 0xD9F8 (OK, decrypted)
0x6E ROM control info 3 0x0D7E
0x70 ARM9 ? 0x2000AAC
0x74 ARM7 ? 0x2380188
0x78 Magic 1 0x00000000
0x7C Magic 2 0x00000000
0x80 Application end offset 0x036DF558
0x84 ROM header size 0x00004000
0x88 ? 0x00004BA0
0x15C Logo CRC 0xCF56 (OK)
0x15E Header CRC 0xF657 (OK)
Banner CRC: 0x2934 (OK)
English banner text, line 1: _______
English banner text, line 2: ________DX
English banner text, line 3: Nintendo
ARM9 footer found.
Security data CRC (0x1000-0x2FFF) 0x6FFF
Segment3 CRC (0x3000-0x3FFF) 0x0000 (INVALID)
~~~
This is from the Python version:
~~~
Header Information:
0x00 Game title BANDBROS DX
0x0C Game code AXBJ (NTR-AXBJ-JPN)
0x10 Maker code 01 (Nintendo)
0x12 Unit code 0x00
0x13 Device type 0x00
0x14 Device capacity 0x09 (512 Mbit)
0x15 Reserved 1 000000000000000000
0x1E ROM Version 0x00
0x1F Reserved 2 0x00
0x20 ARM9 ROM offset 0x4000
0x24 ARM9 entry address 0x2000800
0x28 ARM9 RAM address 0x2000000
0x2C ARM9 code size 0xADBB4
0x30 ARM7 ROM offset 0x172000
0x34 ARM9 entry address 0x2000800
0x38 ARM7 RAM address 0x2380000
0x3C ARM7 code size 0x26F28
0x40 File name table offset 0x198F28
0x44 File name table size 0xBFF1
0x48 FAT offset 0x1A4F1C
0x4C FAT size 0x4BA8
0x50 ARM9 overlay offset 0xB1BC0
0x54 ARM9 overlay size 0x2E0
0x58 ARM7 overlay offset 0x00
0x5C ARM7 overlay size 0x00
0x60 ROM control info 1 0x00416657
0x64 ROM control info 2 0x081808F8
0x6E ROM control info 3 0x0D7E
0x68 Icon/Title offset 0x1A9C00
0x6C Secure area CRC 0xD9F8 (OK, decrypted)
0x70 ARM9? 0x02000AAC
0x74 ARM7? 0x02380188
0x78 Magic 1 0x00000000
0x7C Magic 2 0x00000000
0x80 Application end offset 0x036DF558
0x84 ROM header size 0x00004000
0x15C Logo CRC 0xCF56 (OK)
0x15E Header CRC 0xF657 (OK)
Banner CRC: 0x2934 (OK)
Japanese banner text, line 1: だいがっそう!
Japanese banner text, line 2: バンドブラザーズDX
Japanese banner text, line 3: Nintendo
ARM9 footer found.
Security data CRC (0x1000-0x2FFF) 0x6FFF
Segment3 CRC (0x3000-0x3FFF) (NYI)
~~~

28
know-how/hacking/nintendo-ds/_posts/2009-03-17-extract-sound.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Extract Sound from ROMs
language: en
layout: default
created: 2009-03-17 20:41:05 +0100
updated: 2009-03-17 20:41:05 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
To extract sounds (or graphics) from a ROM, you'll need the [ndstool]({% post_url 2009-03-16-ndstool %})
and [ndssndext](http://www.4shared.com/file/68276816/8092229e/ndssndext_v04.html).
First extract the game data from ROM:
ndstool -x -d data <filename>.nds
This will create a new directory `data` containing all the game data. In there you'll most probably find a file `*.sdat`
somewhere. This is a sound archive format. Now run this through the `ndssndext` (I had to use *WinE*):
wine ndssndext.exe sound_data.sdat
This creates a new folder which contains more folders with the actual contents from the `.sdat`-file. These can be MIDI
files and/or (converted) WAV files.

42
know-how/hacking/nintendo-ds/_posts/2009-03-22-cyclods-evolution.md Normal file
View File

@ -0,0 +1,42 @@
---
title: CycloDS Evolution
language: en
layout: default
created: 2009-03-10 01:04:17 +0100
updated: 2009-03-22 13:01:57 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
<img src="{{ site.url }}/assets/cyclodsevo.jpg" alt="" width="200" />
* **Homepage:** [cyclopsds.com](http://www.cyclopsds.com/)
* **Firmware:** [cyclopsds.com](http://www.cyclopsds.com/cgi-bin/cyclods/engine.pl?page=support)
* **Comparison:** [joystiq.com](http://nintendo.joystiq.com/2008/05/20/ds-fanboys-semi-ultimate-homebrew-guide/)
* **Review:** [gameboy-advance.net](http://www.gameboy-advance.net/ds-lite/cyclods.htm)
* **Buy one:** [chipmonkey.de](http://chipmonkey.de/) (Germany)
The *CycloDS Evolution* is a cartridge for the NDS which adds homebrew capabilities. You can then run various homebrewed
titles from a miniSDHC card on the NDS. You can even play [backups of your own games]({% post_url 2009-03-23-dump-games %})
and thus take them all with you in a single cartridge.
Cheats Database
===============
The CycloDS Evo supports ActionReplay(tm) compatible cheat codes. The *Evolution Tools* (downloadable on their [Support page](http://www.cyclopsds.com/cgi-bin/cyclods/engine.pl?page=support))
supports downloading cheats from [codejunkies.com](http://codejunkies.com). After the processing is done, you get a
~600 KiB `user.evoCheats` file.
According to the [forums](http://www.teamcyclops.com/forum/showthread.php?t=1580), `codejunkies.com` is missing several
cheats for newer games, so you might want to download the database from [gbatemp.net](http://cheats.gbatemp.net/) which
is ~1,7 MiB. There's even a direct link to the latest version of the file:
* <http://cheats.gbatemp.net/latest/user.evoCHEATS.zip>
You might also want to trim your `default.evoCheats` file down to 0 Bytes and make it read-only so that only the newer
cheats database is used.

59
know-how/hacking/nintendo-ds/_posts/2009-03-23-dump-games.md Normal file
View File

@ -0,0 +1,59 @@
---
title: Dump Games
language: en
layout: default
created: 2009-03-15 14:41:43 +0100
updated: 2009-03-23 01:04:47 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
Dumping game cartridges is done the same way like [dumping savegames]({% post_url 2009-03-15-backup-savegames %}).
EZFlash 3in1 method
===================
The only difference here is that you might have to swap the cartridges more often since the Flash memory of the [EZFlash 3in1]({% post_url 2009-03-15-ezflash-3in1 %})
is only 32 MiB and some games are up to 128 MiB in size.
There's a nice tutorial with pictures at [monroeworld.com](http://www.monroeworld.com/myfaq/index.php?action=artikel&cat=7&id=129&artlang=en).
Here are some estimated times for dumping different sized game cartridges (copied from that page):
| Game size | Number of passes | est. time needed |
|----------:|:-----------------|-----------------:|
| 4 MiB | 1 pass | 2min 30sec |
| 8 MiB | 1 pass | 3min 15sec |
| 16 MiB | 1 pass | 4min 45sec |
| 32 MiB | 1 pass | 9min 30sec |
| 64 MiB | 2 passes | 14min 15sec |
| 128 MiB | 4 passes | 19min 00sec |
| 256 MiB | 8 passes | 38min 00sec |
Wi-Fi method
============
Be warned that the Wi-Fi transfer speed is somewhat "limited". Dumping a 128 MiB game takes almost **2 hours**. So make
sure your NDS is connected to its power adaptor.
ROM Trimming
============
Game cartridges have the typical memory ICs in binary sizes (8, 16, 32, 64, 128, 256 MiB) although the game often
doesn't occupy the whole memory. That means if a game is 35 MiB in size, it is shipped on a 64 MiB cartridge. When
dumping, you'll dump the whole 64 MiB although the last 29 MiB are empty (filled with `0x00`). So you can save a lot of
space if you trim a ROM down to the real size.
<p><div class="notewarning">
Games which use the WiFi feature mostly store their connection info in this empty space so using the wrong program to trim a ROM will break online capability of games.
</div></p>
A good trimmer is [NDSTokyoTrim](http://techsuki.net/nintendo-ds-rom-trimmer/) which can detect WiFi-games and leaves
the space for their settings.

24
know-how/hacking/nintendo-ds/_posts/2009-10-28-favourite-games.md Normal file
View File

@ -0,0 +1,24 @@
---
title: Favourite NDS Games
language: en
layout: default
created: 2009-03-23 00:34:05 +0100
updated: 2009-10-28 02:04:10 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- gaming
---
Here's a list of my favorite games:
| Game | Genre | Comment |
|:---------------|:---------:|:-------------------------------|
| Rittai Picross | Puzzle | very addictive |
| Time Hollow | Adventure | great story, great soundtrack |
| Another Code | Adventure | almost as great as Time Hollow |
| Korg DS-10 | Music | |
| Crosswords DS | Puzzle | |
| Picross | Puzzle | |

26
know-how/hacking/nintendo-wii/_posts/2008-07-18-twilight-hack.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Wii Twilight Hack
language: en
layout: default
created: 2008-07-18 22:44:40 +0200
updated: 2008-07-18 22:44:40 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
The Twilight Hack is described at [Code Retard](http://www.coderetard.com/2008/05/07/install-wii-virtual-console-game-channels-with-wad-installer/).
It works by using a bug in *Zelda - Twilight Princess*. In short is goes like this:
1. get [WAD Installer 2.1](http://www.coderetard.com/wp-content/uploads/2008/05/wad-installer_v21.zip) and copy the
`wad-installer.elf` to the root directory of your SD-card and name it `boot.elf`
1. get the [Twilight Hack Beta](http://www.coderetard.com/wp-content/uploads/2008/06/twilight-hack-v01-beta1.zip) (for
the Wii 3.3 firmware) and copy the `rzdp.bin` as `data.bin` to `/private/wii/title/RZDP` (P for PAL).
1. copy all wanted games (`*.wad`-files) to a directory `/wad` on your SD card (4MiB ~ 59 blocks)
1. get *Zelda - Twilight Princess*, run it at least once on your Wii to create the savegame slot
1. insert SD card, delete savegame on your Wii and copy the Twilight Hack savegame from your SD card
1. now run *Zelda*, load game, walk towards the guy and talk to him
1. the screen goes black and shows the WAD Installer which installs all files found in `/wad`

27
know-how/hacking/nintendo-wii/_posts/2008-07-23-savegame-editing.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Wii Savegame Editing
language: en
layout: default
created: 2008-07-23 21:31:36 +0200
updated: 2008-07-23 21:31:58 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
Savegames, as well as almost all other files, are encrypted using some crypto magic. The keys were found and now there
are some tools to decrypt and recrypt the savegames called [Segher's Wii.git](http://wiibrew.org/wiki/Segher's_Wii.git).
To compile them, you need to also compile OpenSSL, add the `include`-directory of OpenSSL to the search path for gcc and
also point the `ld` to the compiled libcrypto.a.
After that, find the 3 interesting keys on [HackMii](http://hackmii.com/2008/04/keys-keys-keys/), which are `md5-blanker`,
`sd-iv` and `sd-key`.
Create a directory `~/.wii` and put the 3 keys in ***binary*** form in there. (No text file with the values as numbers
and letters but binary files with exactly 16 Bytes per file. Use `ghex2` or such.)
If everything is correct, you can uncompress savegames data.bin using `tachtig` and recompress them using `twintig`.

28
know-how/hacking/nintendo-wii/_posts/2009-01-18-mplayer-samba.md Normal file
View File

@ -0,0 +1,28 @@
---
title: MPlayer and Samba
language: en
layout: default
created: 2009-01-18 23:26:15 +0100
updated: 2009-01-18 23:26:15 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
The [MPlayer Christmas Edition](http://www.elotrolado.net/hilo_mplayer-christmas-edition_1157252) for Wii supports SMB
browsing. You can configure the login data of the desired SMB share through the `smb.conf` on the SD card as follows:
~~~
ip=192.168.1.100
share=Public
user=wii
pass=somethingelse
port=445
~~~
For it to work, you **MUST** use a dedicated user in Samba. Guest shares won't work. Also make sure you have
**`security=user`** set in your Linux `smb.conf`. For more information see
[this thread](http://www.tehskeen.com/forums/showpost.php?p=48403&postcount=76) as tehskeen.com.

40
know-how/hacking/nintendo-wii/_posts/2009-01-30-encryption-keys.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Nintendo Wii Encryption Keys
language: en
layout: default
created: 2009-01-30 12:56:51 +0100
updated: 2009-01-30 13:00:54 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
To use these keys with e.g. [Segher's Wii.git](http://wiibrew.org/wiki/Segher's_Wii.git), you have to put them in binary
files, i.e. use a Hex-Editor and paste these keys so that you get a 16 Byte long file for each key. Segher's tools
expect them to be located in `~/.wii/<keyname>`, e.g. `~/.wii/common-key`.
common-key
==========
ebe42a225e8593e448d9c5457381aaf7
sd-key
======
ab01b9d8e1622b08afbad84dbfc2a55d
sd-iv
=====
216712e6aa1f689f95c5a22324dc6a98
md5-blanker
===========
0e65378199be4517ab06ec22451a5793

24
know-how/hacking/nintendo-wii/_posts/2009-03-23-favourite-games.md Normal file
View File

@ -0,0 +1,24 @@
---
title: Favourite Wii Games
language: en
layout: default
created: 2009-03-23 00:38:45 +0100
updated: 2009-03-23 00:38:45 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
Here's a list of my favorite Wii games:
| Game | Genre | Comment |
|:-----------------------|:---------:|:-----------|
| Red Steel | FPS | great soundtrack, nice story; hate the swordfights though |
| Metroid Prime 3 | FPS | nice graphics |
| Onslaught (WiiWare) | FPS | lots of fun playing this plain and straight forward shooter |
| World of Goo (WiiWare) | Puzzle | very addictive |
| Okami | Adventure | really great graphics, nice gameplay |
| NfS: Undercover | Racing | made a lot of fun playing it with the GC controller |

23
know-how/hacking/nintendo-wii/_posts/2009-05-22-mii-to-ds.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Mii to NDS Transfer
language: en
layout: default
created: 2009-03-10 01:08:20 +0100
updated: 2009-05-22 00:16:54 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
The *Mii Channel* has a hidden **Transfer to DS** option. According to [cubed3.com](http://www.cubed3.com/news/11049)
the only NDS game using this for now is the Japanese title *Aruite Wakaru Seikatsu Rhythm DS*. To enable the feature,
do this:
1. go to the *Mii Channel*
1. push <kbd>A</kbd> once
1. push <kbd>B</kbd> once
1. push <kbd>1</kbd> once
1. hold <kbd>2</kbd>

27
know-how/hacking/nintendo-wii/_posts/2009-10-07-wii-homebrew-channel.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Wii Homebrew Channel
language: en
layout: default
created: 2009-10-07 22:46:34 +0200
updated: 2009-10-07 22:48:41 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
Install on 4.2e
===============
* Download the [bannerbomb v2](http://bannerbomb.qoid.us/index.new.php) and unzip the file to your SD-Card (make sure
to remove ANY OTHER Wii data from the `private` directory otherwise it will NOT work!)
* Download the [HackMii Installer](http://bootmii.org/download/) and put the `boot.dol` in the root of the SD-Card
* Start the Wii, remove any disc
* select the SD-Channel (bottom left)
* insert the prepared SD-Card and wait for the *Start boot.dol?*-prompt (if it freezes, hold Power-button to reboot the
Wii then try again)
* select *Yes*
* follow the instructions (you most probably want to install all 3 options - try to install BootMii as boot2, if it
doesn't work, install as IOS)

27
know-how/hacking/nintendo-wii/_posts/2010-05-08-usbloader-gx.md Normal file
View File

@ -0,0 +1,27 @@
---
title: USBLoader GX
language: en
layout: default
created: 2010-05-08 12:47:47 +0200
updated: 2010-05-08 12:47:47 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
* **Homepage:** <http://usbloadergx.koureio.net/>
Foreign games settings
======================
(for PAL TVs)
* If the game appears all in red, activate the *VidMode: AutoPatch* setting.
* If `Error #02` appears, activate the *Error 02 Fix*
* If you only see a black screen after launching the game, make sure, the Game is not Japanese- or English-only. If so,
change the *Game language* setting to match that of the game. (Some games don't have a fall-back setting for their
language, so they will crash if the Wii is set to another language than supported.)

110
know-how/hacking/nintendo-wii/_posts/2010-11-14-backup-games-to-usb-hdd.md Normal file
View File

@ -0,0 +1,110 @@
---
title: Backup games to USB HDD
language: en
layout: default
created: 2009-05-24 19:35:29 +0200
updated: 2010-11-14 16:05:02 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- nintendo
- wii
---
* [mikeandheth.com](http://www.mikeandheth.com/games/97-connect-wii-usb-hard-drive.html)
* [gbatemp.net](http://wiki.gbatemp.net/wiki/index.php?title=USB_Loader_Releases) --- List of USB Loader programs for the Wii
* [gbatemp.net](http://wiki.gbatemp.net/wiki/index.php?title=WBFS_Managers) --- List of WBFS Managers (programs to copy game ISO files to USB via your PC)
* [usbloadergx.koureio.net](http://usbloadergx.koureio.net/) --- USBLoader GX homepage
* [gbatemp.net](http://gbatemp.net/index.php?showtopic=144844) --- Linux WBFS Manager ([updated version](http://gbatemp.net/index.php?showtopic=145747&hl=cojiro))
* [Wiithon](https://launchpad.net/wiithon) --- Python WBFS Manager (best for Linux!)
* [code.google.com](http://code.google.com/p/linux-wbfs-manager/) --- another Linux WBFS Manager
* [gbatemp.net](http://gbatemp.net/index.php?showtopic=146731&hl=linux) --- FUSE module for WBFS (unstable)
System Menu 4.2
===============
<p><div class="notewarning" markdown="1">
Only backup games you really own. **DO NOT BACKUP BORROWED GAMES OR DOWNLOAD THEM FROM THE INTERNET!** If nobody
actually buys Wii games then the creators won't make any more games. (Also you wouldn't want to end up like [this](http://youtube.com/watch?v=ALZZx1xmAzg),
would you?) However backing up games not only prevents your discs from damage but also makes the games load faster.
</div></p>
<p><div class="noteimportant" markdown="1">
Keep in mind that you could brick your Wii. Only do these steps if you want to take this risk. These steps worked for
me but **I can not be held responsible if they don't work for you or even damage your Wii**.
</div></p>
To patch *System Menu 4.2* to allow backup (and playing of these backups) of games, follow the instructions at [wiihacks.com](http://www.wiihacks.com/recommended-faqs-guides-tutorials-only/24630-full-hacking-guide-4-2-system-menus-79.html).
1. Install the [HomeBrew Channel, DVDX and BootMii]({% post_url 2009-10-07-wii-homebrew-channel %})
* make a backup of your NAND flash using BootMii
1. after switching on your Wii, you'll be in the BootMii menu (4 icons)
1. use <kbd>Power</kbd> to select the gears on the right
1. use <kbd>Reset</kbd> to choose the gears
1. the first icon (green arrow pointing from IC to SD-Card) should be highlighted
1. use <kbd>Reset</kbd> to choose this one
1. follow the instructions to backup the NAND (don't wonder about the bad blocks. Some Wii have up to 80!)
1. Use one of the packages from *Part B* of the wiihacks-guide to uninstall ios249
1. prepare and insert SD card
1. boot your Wii, the *WAD Manager* should run (alternatively: Go to HBC and launch BootMii from there)
1. in the IOS-selection, select **ios36** (others like 249, 250 might also work, but froze my Wii)
1. select SD-card as source, press <kbd>A</kbd>
1. select `IOS249.WAD`, press <kbd>A</kbd>
1. change action to **Uninstall WAD**, press <kbd>A</kbd>
* if it gives errors at this point, try one of the other packages
1. Use one of the packages from *Part C* of the wiihacks-guide to install cios38rev14
1. prepare and insert SD card
1. boot your Wii, the *cios38-Installer* should run (alternatively: Go to HBC and launch BootMii from there)
1. in the IOS-selection, keep pressing <kbd>Left</kbd> until **Do not reload IOS** is shown, press <kbd>A</kbd> (might try other IOSes, but it worked fine this way)
1. if you have a working Internet connection, select **Network install**, otherwise use **WAD install** and press <kbd>A</kbd>
* if you chose **WAD install**, select the `IOS38-64-v3610.wad` on your SD card
1. Proceed with the installation and you are done
After this procedure you will be able to use a USB Launcher to make and play backups or a DVD Launcher to play backup DVDs.
<p><div class="noteclassic" markdown="1">
For [some games](http://wiki.gbatemp.net/wiki/index.php?title=USB_Loader_v1.x_Game_Compatibility) it might be needed to
install *Hermes' cIOS* as well. See [wii-homebrew.com](http://www.wii-homebrew.com/download/nintendo-wii-downloads/firmware-und-hacks/originale/hermes-cios)
for instructions. (In German, sorry!)
</div></p>
Shop Channel Update
===================
On October, 21st 2009, Nintendo released a Shop Channel Update. [This post](http://forum.wiibrew.org/read.php?21,38699)
implies that it may be safe to do this update if you are already on 4.2. After I made this update, the *USBLoader GX*
rev. 799 crashed after showing the startup logo. So be sure to make a backup using *BootMii*.
**UPDATE:** The official update seems to reset the IOS249 (and maybe other IOSes). So you either have to repatch your
Wii after the update or use *[WiiSCU](http://wiibrew.org/wiki/WiiSCU)* to update the *Shop Channel* and *IOS61*
(**Note:** Use `-trucha` setting) only.
Burn backups to DVD
===================
You can use any WBFS Manager tool to transfer the backups to your PC (as a ISO file) and burn them onto a DVD. You can
then play the games from DVD using a DVD Launcher such as [NeoGamma](http://www.gbatemp.net/index.php?showtopic=158884).
Make sure, your burning program keeps the book type of **DVD-ROM**. In *Nero* you have to go to the *Choose Recorder*
dialog, *Advanced options* to set the book-type from **Auto** to **DVD-ROM**. Also burn with the slowest speed possible.
Media
-----
| Type | Works |
|:--------------------------|:-----:|
| Intenso DVD+R LightScribe | - |
| SONY DVD+R Ver. 1.3 | X |
| PHILIPS DVD+R LightScribe | X |
Play Call of Duty: Black Ops
============================
To play CoD:BO (and not get stuck in the *"Loading…"*-screen), you'll need the cIOS rev20b found [here](http://filetrip.net/f12411-cIOS-Installer-Xr20b.html).
Install using IOS249 from base 57 into slot 249. After that, the game should work.

17
know-how/hacking/sony-playstation-2/_posts/2008-12-05-dms4pro.md Normal file
View File

@ -0,0 +1,17 @@
---
title: DMS4Pro
language: en
layout: default
created: 2008-12-05 00:31:21 +0100
updated: 2008-12-05 00:31:21 +0100
toc: false
tags:
- know-how
- hacking
- hardware
- sony
- playstation
- pstwo
- dms4pro
---
**Firmware:** [sksapps.com](http://www.sksapps.com/index.php?page=dms4.html) (Latest is 0.41)

74
know-how/hacking/windows-mobile/_posts/2008-09-12-oggsync.md Normal file
View File

@ -0,0 +1,74 @@
---
title: OggSync for Windows Mobile
language: en
layout: default
created: 2008-09-12 22:19:31 +0200
updated: 2008-09-12 22:19:31 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- microsoft
- windowsmobile
---
**Tested Version:** 4.19
OggSync connects to `https://oggsync.com/r/r` or `https://oggsync.com/r/e` and sends the entered info (PayPal eMail or
Registration Code) along with some other info. You can find these URLs in cleartext Unicode inside the `ogsync.exe`.
The relevant fields of a `$_SERVER` dump are those:
**PayPal:** (I entered `anon@anon.com` as eMail address.)
~~~
[CONTENT_TYPE] => application/x-www-form-urlencoded
[HTTP_A] => 2008-09-10 3:58 PM
[HTTP_B] => 419
[HTTP_C] => 9465c02d-d768-4892-bc4d-45ea13c042dc
[HTTP_D] => your-gmail@gmail.com
[HTTP_E] =>
[HTTP_F] => 9/12/2008 8:03 PM
[HTTP_G] => 49e744a1-ff3b-40f7-baf0-a96239fa0830
[HTTP_H] => PayPal
[HTTP_I] => anon@anon.com
[HTTP_K] => W. Europe Daylight Time
[HTTP_L] =>
[HTTP_M] => mobile
[CONTENT_LENGTH] => 22
[HTTP_CONNECTION] => Close
[HTTP_EXPECT] => 100-continue
~~~
**Registration Code:** (The `12345` is the code I entered.)
~~~
[CONTENT_TYPE] => application/x-www-form-urlencoded
[HTTP_A] => 2008-09-10 3:58 PM
[HTTP_B] => 419
[HTTP_C] => 9465c02d-d768-4892-bc4d-45ea13c042dc
[HTTP_D] => your-gmail@gmail.com
[HTTP_E] =>
[HTTP_F] => 9/12/2008 8:01 PM
[HTTP_G] => c4781924-a538-41e8-8cb6-624e02b8d271
[HTTP_H] => Registration
[HTTP_I] => 12345
[HTTP_K] => W. Europe Daylight Time
[HTTP_L] =>
[HTTP_M] => mobile
[CONTENT_LENGTH] => 22
[HTTP_CONNECTION] => Close
[HTTP_EXPECT] => 100-continue
~~~
The first UUID in `HTTP_C` might be a unique code to identify your device. The second one changes with every try to
register. There was a post in the [PPCWarez-Forum](http://forum.ppcwarez.org/) that *OggSync* expects the server to
answer with "Pro" if the registration data is correct. Any other answer will be interpreted as failure.
Knowing this, you might wonder what happens if you use your favourite hex-editor, change the URLs to point to a server
you own and put this totally complicated PHP script onto it:
{% highlight php %}
<?php
echo 'Pro';
?>
{% endhighlight %}