Hey everyone,
long time no see. I came by to drop a small thing. I saw on my Wii U that my kids updated it and, well, I didn't have haxchi or dns blocks . Since I had my SPI eeprom dump of the Wii U and I knew how to decrypt the USB from before (I've posted it somewhere on here), I though I could simply get back access to the HBL by replacing a few files. Well it was way more complex than I though as the freaken WFS filesystem has hashs and checks everywhere, different IVs for different blocks and so on. After a bit I figured out what the IV is for my block I wanted to replace and where to change the hashs. So I wrote myself a quick tool to inject a block and tested it with the https://github.com/Kinnay/DKCTF-Save-Exploit from Kinnay and it worked. A few days later @EyeKey released his tools for WFS which are really great btw. With those tools it would have been way easier for me...oh well. Anyway since I don't have the time to finish the ROP for DKCTF I bought myself an eshop card now and got this Kawashima game and injected the rom.zip. That worked too. So I have my access to HBL back (if I ever need it ).
Since the tools of Eyekey are available now (too bad it's read only) and I though probably more people like me would want to inject haxchi to their system, I added a few printfs to EyeKeys lib to print the necessary stuff for my injector tool. With that it is actually also usable for an enduser. So here is the injector tool I wrote (attached). Its actually a quick hack together of a few encryptions/decryptions and not the best example but it does what I needed it for. I also attached a patch with the changes I made to EyeKeys lib. If I had his sources a bit earlier, I probably would have done my injector stuff inside his lib. You are welcome to do something like that.
Here is how you use it:
Where wiiu_usb.img can also be /dev/sdb for example for direct drive modification (don't forget sudo). As you can see you need the USB key and the wfsdumper will print it for you with my prints in it. Of course the minimum requirement is a seeprom dump (the OTP usb key is actually equal on all consoles as far as i know and you could probably use a dummy file with the correct key at the korret position).
To get the necessary keys, sectors and ivs for my tool you just run EyeKeys tool with my modifications.
For example:
And you look in the prints for the block you want to modify which in my case was this:
You just copy those data and use them with my tool.
I attached the two binaries I used, both compiled on a 32 Bit Ubuntu 16.04 LTS. I am not going to port it for Windows. You will have to do that on your own.
To compile my tool you can do this:
gcc -O3 wiiu_usb_inject.c -o wiiu_usb_inject -lcrypto -lssl
Have fun with it.
This does not mean I am "back". I am looking into the forums from time to time but don't expect me to contribute to the Wii U scene very much, at least not very soon. I am still very low on time I could invest into the Wii U. I learned from my mistake and set up the blocking DNS stuff up now, so I wont have to do something like that again.
As said above, @EyeKey's tool does most of the hard work which I had to do manually before and therefore big credits go to him. Really awesome work there.
long time no see. I came by to drop a small thing. I saw on my Wii U that my kids updated it and, well, I didn't have haxchi or dns blocks . Since I had my SPI eeprom dump of the Wii U and I knew how to decrypt the USB from before (I've posted it somewhere on here), I though I could simply get back access to the HBL by replacing a few files. Well it was way more complex than I though as the freaken WFS filesystem has hashs and checks everywhere, different IVs for different blocks and so on. After a bit I figured out what the IV is for my block I wanted to replace and where to change the hashs. So I wrote myself a quick tool to inject a block and tested it with the https://github.com/Kinnay/DKCTF-Save-Exploit from Kinnay and it worked. A few days later @EyeKey released his tools for WFS which are really great btw. With those tools it would have been way easier for me...oh well. Anyway since I don't have the time to finish the ROP for DKCTF I bought myself an eshop card now and got this Kawashima game and injected the rom.zip. That worked too. So I have my access to HBL back (if I ever need it ).
Since the tools of Eyekey are available now (too bad it's read only) and I though probably more people like me would want to inject haxchi to their system, I added a few printfs to EyeKeys lib to print the necessary stuff for my injector tool. With that it is actually also usable for an enduser. So here is the injector tool I wrote (attached). Its actually a quick hack together of a few encryptions/decryptions and not the best example but it does what I needed it for. I also attached a patch with the changes I made to EyeKeys lib. If I had his sources a bit earlier, I probably would have done my injector stuff inside his lib. You are welcome to do something like that.
Here is how you use it:
Code:
wiiu_usb_inject PATH_TO_IMG USB_KEY PATH_TO_DATA_BLOCK META_SECTOR META_IV DATA_SECTOR DATA_IV
Example:
wiiu_usb_inject wiiu_usb.img 12345678901234567890123456789012 ./haxchi/installer/data/brainage.zip 00009320 00002000923D0340003BB80000000200 00015400 00010000923DC420003BB80000000200
Where wiiu_usb.img can also be /dev/sdb for example for direct drive modification (don't forget sudo). As you can see you need the USB key and the wfsdumper will print it for you with my prints in it. Of course the minimum requirement is a seeprom dump (the OTP usb key is actually equal on all consoles as far as i know and you could probably use a dummy file with the correct key at the korret position).
To get the necessary keys, sectors and ivs for my tool you just run EyeKeys tool with my modifications.
For example:
Code:
./wfsdumper --otp ../otp.bin --seeprom ../seeprom.bin --input ../wiiu_usb.img --output ../dump/ --dump-path /usr/title/00050000/10179c00/content/0010
And you look in the prints for the block you want to modify which in my case was this:
Code:
...
rom.zip
IV 00002000923D0340003BB80000000200 MetadataBlock at 00009320
IV 00010000923DC420003BB80000000200 DataBlock at 00015400
...
You just copy those data and use them with my tool.
I attached the two binaries I used, both compiled on a 32 Bit Ubuntu 16.04 LTS. I am not going to port it for Windows. You will have to do that on your own.
To compile my tool you can do this:
gcc -O3 wiiu_usb_inject.c -o wiiu_usb_inject -lcrypto -lssl
Have fun with it.
This does not mean I am "back". I am looking into the forums from time to time but don't expect me to contribute to the Wii U scene very much, at least not very soon. I am still very low on time I could invest into the Wii U. I learned from my mistake and set up the blocking DNS stuff up now, so I wont have to do something like that again.
As said above, @EyeKey's tool does most of the hard work which I had to do manually before and therefore big credits go to him. Really awesome work there.