Mii Channel [HACA]

[Sharkbyte]

lol

Does anyone think it is possible to make a code for editing miis that you didn't create?

I have tried making this code and have failed. I don't know if it is in the channel itself that blocks you from editing miis you didn't create, but I want to be able to edit them. All I did was transfer my miis over to the other wii and it says you can't edit this mii. I did create them. I just need a code to edit them.

[dcx2]

Try searching for your Mii's name.  There's probably just a flag that indicates whether you can edit the Mii.

[Thomas83Lin]

I was bored so i though i'd play around with this alittle, maybe this info will become useful to you.

Ok the 9.9.9 is my Mii Name which Shows as 999 so it can be offset, which would be why you may not have found it.

Anyways what I've found out, is that changing the highlighted part, when you are editing your Mii, then quitting without saving. your Mii will then have the message you can't edit this Mii.  then re-correcting this value, and Editing a different Mii then saving again, will fix the previous Mii. I'll try unlocking a Locked Mii Later. when i get some free time. The Highlighted Value is the same for all my Mii's. But not for the locked Mii's  This Value most likely wont be the same on your Wii.
btw all the mii's are back to back in Mem.

edit:
Bingo I managed to unlock a Mii
[spoiler]


See i added the highlighted part B i x e.[42CE58E8] my personal 32bit code to unlock this Mii, that i got from Check Mii Out. I'm 99% Sure the 32 bit Hex code will be different per Wii. Also notice how its offset between two 32bit's its placed kind of random. Also its random how far it is located from the Name itself. I didn't see a real pattern to it. Maybe I'll try to find the check, but it only checks between editing and viewing all your mii's.
btw if your wondering the Nick Name 888, when Importing a Mii from Check Mii Out, it lets you Choose the Name.  
Your 32bit code should stand out amongst the other data if you have multi Mii's. figuring out were the place the code in the locked Mii requires some poking.
[/spoiler]

[Thomas83Lin]

The addresses are the same and the offsets are always the same. From where the name starts, go exactly 1A from there and then poke 42BD719F and then edit one you have created then go back and you will be able to edit the non created one. We just need a code to permeantly make the game think we really did create it. (like your goldeneye unlock codes, permeant if saved)

btw, thanks a million for finding that.

No problem it was a pain to find. Making a code will be harder to do though. either a Code or a Tut on how to do it will work. preferably a code.

edit: forgot not everyone has a usb gecko. If i come up with something i'll let you know. if your correct and the address's are always the same it should be easy enough. If your working on it, I wont worry about it.

[Thomas83Lin]

If you don't mind could you test this, its only temporary

Temporary Mii Unlock [Thomas83Lin]
04047440 60000000
*For Versions 5-6*

I couldn't get a permanent  code to work correctly.

[dcx2]

The quest for a permanent Mii Unlocker...

Using thomas' code as a starting point, I found that 80020D8C:  98030059   stb   r0,89(r3) writes the last byte of the four-byte identifier when copying a Mii to or from the Wiimote.  Using a hook, you can insert your own identifier.


C2020D8C 00000005
380000aa 98030056
380000bb 98030057
380000cc 98030058
380000dd 98030059
60000000 00000000

where 0xaabbccdd is your identifier.

---

Then I restarted.  However, my Mii was still locked.  Odd.  I tried transferring the Mii from the Wiimote again...and this time she was unlocked, and stayed unlocked.  Why?

Here's what I think happens.  When you transfer the real Mii from the Wiimote the first time, it tries to spoof the identifier, but the one that it over-writes is not the one that gets saved to the Wii's NAND, for some reason.  However, the Mii that ends up in RAM is in fact spoofed, so you can transfer that spoofed Mii back to the Wiimote.  So the Wiimote now has the spoofed Mii, and the RAM has the spoofed Mii, but the NAND has the real Mii.  Restart the Wii, and the real Mii is loaded from NAND.  Delete the real Mii, and copy the spoofed Mii back off of the Wiimote.  This time, it copies the spoofed identifier to the NAND!  You can now restart and your Mii will be unlocked forever.

---

Problem is, you need to know your identifier so you can spoof it.  For us, that's easy.  For Joe Cheater, it's not.  I'll work on finding some way to automatically acquire each Wii's unique identifier.

[dcx2]

Unlock Mii during transfer on any Wii [dcx2]
C213F594 00000003
48000009 00000000
7D8802A6 90AC0000
90BF0000 00000000
C2020D8C 00000006
48000005 7D8802A6
880CFFE0 98030056
880CFFE1 98030057
880CFFE2 98030058
880CFFE3 98030059
60000000 00000000

This is two C2 codes

captures the per-Wii unique identifier and places it in the ".int 0"

8013F594:

bl SKIP_DATA
.int 0             # LR points HERE for this code
SKIP_DATA:
mflr r12
stw r5,0(r12)
stw r5,0(r31)


reads the previous code's stored identifier (note the negative offsets for lbz) and over-writes the Mii's identifier with it

80020D8C:

bl 4
mflr r12   # LR points HERE for this code
lbz r0,-32(r12)
stb r0,86(r3)
lbz r0,-31(r12)
stb r0,87(r3)
lbz r0,-30(r12)
stb r0,88(r3)
lbz r0,-29(r12)
stb r0,89(r3)

---

Note that you are still required to transfer the Mii several times.

Wiimote to Wii
Wii to Wiimote
Restart Wii
Delete Mii on Wii
Wiimote to Wii again

[Thomas83Lin]

Good job Dcx2, Nice Code :)

[dcx2]

You did half the work by giving me an ASM address that I could use to find Mii's.  After that, it was just cruising the disassembly.

I came up with a better hook.  Now the Mii is permanently unlocked on any Wii after the first transfer from the Wiimote to the Wii, no need to copy it back and forth.  You can even edit it as soon as you transfer.


C213F594 00000003
48000009 00000000
7D8802A6 90AC0000
90BF0000 00000000
C2020BB4 00000006
48000005 7D8802A6
880CFFE0 9804004A
880CFFE1 9804004B
880CFFE2 9804004C
880CFFE3 9804004D
A0040000 00000000

[Thomas83Lin]

Very Cool, I've found if you combine mine and dcx2's code, theres no need to transfer the mii, just edit and save. I'm wondering if these can be added to the Database

[dcx2]

That is one thing I took for granted...I didn't try to transfer the Mii and then quit straight away without checking Edit Mii.  I guess when you Quit Without Saving it still saves...? 

Anyway, I'm glad it works, and that the same code works for every Wii.  ^_^

If this was to go on the database...where would it go?

[dcx2]

You only have to save Miis that are transferred from a Wiimote, right?

And by "save", all you have to do is drag a spoofed Mii onto the Edit Mii button?  Can you quit without saving then, or do you need to save when leaving the Edit menu?

[Bully@Wiiplaza]

Thanks for the pre-work, guys. I´ve taken dcx2´s hook for getting the own id and found the memory location which stores data when editing miis. Not possible without Thomas83Lin´s enabler code, though. ;D

Gain Mii Possession Permanently [Bully@Wiiplaza]
C213F594 00000002
90BF0000 3D809069
90AC1A06 00000000
*Credits to dcx2*
*Must use Thomas83Lin´s "Temporary Mii Unlock"*
*Edit a mii and save*